Cisco Identity Services Engine Hardware Installation Guide ...

29 downloads 275 Views 8MB Size Report
Jan 23, 2014 ... www.cisco.com/go/offices. Cisco Identity Services Engine. Hardware Installation Guide, Release 1.2. January 2014. Text Part Number: ...
Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

February 2017

Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Text Part Number: OL-27044-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFT WARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFT WARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. Modifying the equipment without written authorization from Cisco may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: • Turn the television or radio antenna until the interference stops. • Move the equipment to one side or the other of the television or radio. • Move the equipment farther away from the television or radio. • Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOT WITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFT WARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 Copyright ©2013 Cisco Systems, Inc. All rights reserved.

CONTENTS Preface

1

Purpose Audience

1 2

Document Organization 2 Installation Reference 3 Document Conventions

3

Related Documentation 4 Release-Specific Documents 4 Platform-Specific Documents 5 Obtaining Documentation and Submitting a Service Request CHAPTER

1

Network Deployments in Cisco ISE Architecture Overview

6

1-1

1-1

Network Deployment Terminology

1-2

Node Types and Personas in Distributed Deployments Administration Node 1-3 Policy Service Node 1-3 Monitoring Node 1-3 Inline Posture Node 1-4 Inline Posture Node Installation 1-4 Inline Posture Node Reuse 1-4 Standalone and Distributed Deployments

1-3

1-5

Distributed Deployment Scenarios 1-5 Small Network Deployments 1-5 Split Deployments 1-6 Medium-Sized Network Deployments 1-7 Large Network Deployments 1-8 Dispersed Network Deployments 1-9 Deployment Size and Scaling Recommendations Inline Posture Planning Considerations

1-10

1-12

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions 1-13

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

iii

Contents

CHAPTER

2

Cisco SNS-3400 Series Appliances

2-1

Cisco SNS-3400 Series Appliance Hardware Specifications Cisco SNS-3400 Series Front and Rear Panels 2-2 Cisco SNS Support for Cisco ISE CHAPTER

3

2-1

2-4

Installing and Configuring a Cisco SNS-3400 Series Appliance Installing the SNS-3400 Series Appliance in a Rack

3-1

Downloading the Cisco ISE, Release 1.2 ISO Image

3-1

3-1

Installing Release 1.2 Software on SNS-3400 Series Appliance Cisco Integrated Management Controller Configuring CIMC

3-2

3-3

3-3

Creating a Bootable USB Drive

3-5

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance Cisco ISE Setup Program Parameters

3-6

3-7

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance Supported Time Zones 3-13 Setup Process Verification CHAPTER

4

3-15

Installing Release 1.2 Software on a VMware Virtual Machine Supported VMware Versions

4-1

4-1

Support for VMware vMotion in Release 1.2 Virtual Machine Requirements 4-2 VMware Appliance Size Recommendations Disk Space Requirements 4-4 Evaluating Release 1.2

3-9

4-2

4-3

4-5

Configuring a VMware ESX or ESXi Server 4-5 Enabling Virtualization Technology on an ESX or ESXi Server 4-7 Configuring VMware Server Interfaces for the Cisco ISE Profiler Service Configuring a VMware Server 4-9 Preparing a VMware System for Cisco ISE Software Installation 4-17 Configuring a VMware System to Boot From a Cisco ISE Software DVD Installing Cisco ISE Software on a VMware System

4-8

4-17

4-19

Connecting to a Cisco ISE VMware Server Using the Serial Console Cloning a Cisco ISE Virtual Machine 4-24 Cloning a Cisco ISE Virtual Machine Using a Template Creating a Virtual Machine Template 4-26 Deploying a Virtual Machine Template 4-26

4-21

4-26

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

iv

OL-27044-01

Contents

Changing the IP Address and Hostname of a Cloned Virtual Machine Connecting a Cloned Cisco Virtual Machine to the Network 4-29 CHAPTER

5

4-27

Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances 5-1 Installing Cisco ISE, Release 1.2, Software from a DVD

5-2

Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance

CHAPTER

6

Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance

5-3

Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance 5-4 Resetting the Existing RAID Configuration on a Cisco NAC Appliance

5-5

Managing Administrator Accounts

6-1

CLI-Admin and Web-Based Admin User Right Differences

6-1

Tasks Performed by CLI-Admin and Web-Based Admin Users Tasks Performed Only by the CLI-Admin User Creating CLI Admin Users

7

Performing Post-Installation Tasks

6-2

6-2

7-1

Accessing Cisco ISE Using a Web Browser 7-1 Logging In to the Cisco ISE Web-Based Interface 7-2 Administrator Lockout Following Failed Login Attempts Logging Out of the Cisco ISE Web-Based Interface 7-3 Installing a License Installing Certificates

6-1

6-2

Creating Web-Based Admin Users CHAPTER

5-3

7-3

7-3 7-4

Verifying a Cisco ISE Configuration 7-4 Verifying a Configuration Using a Web Browser Verifying a Configuration Using the CLI 7-5 Verifying the Installation of VMware Tools Upgrading VMware Tools 7-7

7-4

7-6

Resetting the Administrator Password 7-7 Resetting a Lost, Forgotten, or Compromised Password 7-8 Resetting a Password Due to Administrator Lockout 7-9 Changing the IP Address of a Cisco ISE Appliance Configuring the Cisco ISE System

7-9

7-10

Enabling System Diagnostic Reports in Cisco ISE

7-10

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

v

Contents

APPENDIX

A

Installing the Cisco SNS-3400 Series Appliance in a Rack Unpacking and Inspecting the Server Safety Guidelines

A-1

A-1

A-2

Installing a Cisco SNS-3400 Series Appliance in a Rack Rack Requirements A-4 Equipment Requirements A-4 Slide Rail Adjustment Range A-4 Installing the Server In a Rack A-4 Connecting and Powering On the Server

A-4

A-7

Checking the LEDs A-8 Front Panel LEDs and Buttons A-9 Rear Panel LEDs and Buttons A-10 Installing or Replacing Server Components APPENDIX

B

Cisco SNS-3400 Series Server Specifications Physical Specifications

A-11

B-1

B-1

Environmental Specifications Power Specifications B-2 450-Watt Power Supply 650-Watt Power Supply

B-1

B-2 B-2

APPENDIX

C

Cisco SNS-3400 Series Appliance Ports Reference Ports to be Used for OCSP and CRL C-9

APPENDIX

D

Cisco ISE Licenses

C-1

D-1

Cisco ISE Licensing D-1 License Count D-3 Obtaining a Cisco ISE License from Cisco.com D-3 Determining Your Hardware ID Using the CLI D-4 Determining Your Hardware ID Using the Admin Portal Adding or Upgrading a License Removing a License APPENDIX

E

D-4

D-5

D-5

Certificate Management in Cisco ISE

E-1

HTTPS Communication Using the Cisco ISE Certificate EAP Communication Using the Cisco ISE Certificate Certificates Enable Cisco ISE to Provide Secure Access

E-1 E-2 E-2

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

vi

OL-27044-01

Contents

Enabling PKI in Cisco ISE

E-3

Local Certificates E-4 Wildcard Certificates E-4 Wildcard Certificates for HTTPS and EAP Communication E-5 Wildcard Certificate Support in Cisco ISE, Release 1.2 E-6 Fully Qualified Domain Name in URL Redirection E-6 Advantages of Using Wildcard Certificates E-7 Disadvantages of Using Wildcard Certificates E-7 Wildcard Certificate Compatibility E-8 Creating a Wildcard Certificate E-8 Installing Wildcard Certificates in Cisco ISE E-10 Creating a Certificate Signing Request for Wildcard Certificates E-10 Exporting the Certificate Signing Request E-11 Submitting the CSR to a Certificate Authority E-11 Importing the Root Certificates to the Certificate Store E-12 Binding the CSR With the New Public Certificate E-13 Exporting the CA-Signed Certificate and Private Key E-13 Importing the CA-Signed Certificate to the Policy Service Nodes E-13 Installing a CA-Signed Certificate in Cisco ISE E-13 Viewing Local Certificates E-15 Adding a Local Certificate E-16 Importing a Local Certificate E-16 Generating a Self-Signed Certificate E-18 Generating a Certificate Signing Request E-19 Binding a CA-Signed Certificate E-20 Editing a Local Certificate E-21 Exporting a Local Certificate E-22 Certificate Signing Requests E-23 Exporting Certificate Signing Requests

E-23

Certificate Store E-23 Expiration of X.509 Certificates E-25 CA Certificate Naming Constraint E-25 Viewing Certificate Store Certificates E-26 Changing the Status of a Certificate in Certificate Store E-26 Adding a Certificate to Certificate Store E-27 Editing a Certificate Store Certificate E-27 Exporting a Certificate from the Certificate Store E-27 Importing Certificate Chains E-28 Installation of CA Certificates for Cisco ISE Inter-node Communication

E-28

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

vii

Contents

Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL E-28 Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node E-29 Simple Certificate Enrollment Protocol Profiles E-29 Adding Simple Certificate Enrollment Protocol Profiles

E-30

OCSP Services E-30 OCSP Certificate Status Values E-31 OCSP High Availability E-31 OCSP Failures E-31 Adding OCSP Services E-32 OCSP Statistics Counters E-33 Monitoring OCSP E-34 Configuring Certificates for Inline Posture Nodes

E-34

I NDEX

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

viii

OL-27044-01

Preface Revised: February 22, 2017

This preface contains the following sections: •

Purpose, page 1



Audience, page 2



Document Organization, page 2



Document Conventions, page 3



Related Documentation, page 4



Obtaining Documentation and Submitting a Service Request, page 5

Purpose This installation guide provides the following types of information about Cisco ISE, Release 1.2: •

Prerequisites for installation



Procedures for installing the Cisco ISE software on a supported Cisco ISE appliance



Procedures for installing the Cisco ISE software on a supported VMware virtual machine



Procedures for installing the Cisco ISE software on a supported Cisco Network Admission Control (NAC) appliance or Cisco Secure Access Control System (ACS) appliance

Cisco ISE, Release 1.2 offers a choice of two appliance platforms. Your choice depends on the size of your deployment: •

Small network—SNS 3415



Large network—SNS 3495

You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2. For VMware-based installations, you must configure the VMware environment to meet minimum system requirements and then install the Cisco ISE, Release 1.2, software. See Chapter 4, “Installing Release 1.2 Software on a VMware Virtual Machine” for more information. The supported VMware versions include the following: •

VMware Elastic Sky X (ESX), Version 4.0, 4.0.1, and 4.1



VMware ESXi, Version 4.x and 5.x



VMware vSphere Client 4.x and 5.x

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

-1

Chapter

Audience This guide is designed for network administrators, system integrators, or network deployment personnel who install and configure the Cisco ISE software on Cisco SNS-3400 Series appliances or on VMware servers. As a prerequisite to using this hardware installation guide, you should be familiar with networking equipment and cabling and have a basic knowledge of electronic circuitry, wiring practices, and equipment rack installations. Warning

Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Document Organization Table 1

Cisco ISE Hardware Installation Guide Organization

Chapter/Appendix and Title

Description

Chapter 1, “Network Deployments in Cisco ISE”

Provides an overview of the Cisco SNS-3400 Series appliance deployments and their components. Read this chapter before planning a new Cisco ISE deployment.

Chapter 2, “Cisco SNS-3400 Series Appliances”

Provides an overview of the Cisco SNS-3400 Series hardware.

Chapter 3, “Installing and Configuring a Cisco SNS-3400 Series Appliance”

Describes how to perform an initial installation of Cisco ISE software on Cisco SNS-3400 Series hardware.

Chapter 4, “Installing Release 1.2 Software on a VMware Virtual Machine”

Describes how to install Cisco ISE software on VMware ESX or ESXi and vSphere virtual machines.

Chapter 5, “Installing Release 1.2 Software on Cisco ISE Describes how to install Cisco ISE, Release 1.2 software on 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances” existing ISE 3300 series, or legacy NAC and ACS appliances. Chapter 6, “Managing Administrator Accounts”

Describes the two types of administrator accounts in Cisco ISE, their privileges, and how to create them.

Chapter 7, “Performing Post-Installation Tasks”

Provides information about installing a Cisco ISE license and lists the configuration tasks that you need to perform following installation.

Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack”

Describes the necessary safety instructions, site requirements, and tasks that you need to perform before installing the Cisco SNS-3400 Series hardware. Also, provides instructions on rack-mounting a Cisco SNS-3400 Series appliance, connecting all cables, powering up the appliance, and replacing the server components.

Appendix B, “Cisco SNS-3400 Series Server Specifications” Provides physical, environmental, and power specifications for maintaining Cisco SNS-3400 Series appliance following installation. Appendix C, “Cisco SNS-3400 Series Appliance Ports Reference”

Provides a reference list of ports that are used by Cisco SNS-3400 Series appliance services, applications, and devices.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

-2

OL-27044-01

Chapter

Table 1

Cisco ISE Hardware Installation Guide Organization (continued)

Chapter/Appendix and Title

Description

Appendix D, “Cisco ISE Licenses”

Describes the different types of licenses available in Cisco ISE and how to install them.

Appendix E, “Certificate Management in Cisco ISE”

Describes local (including wildcard certificates) and CA certificates and how to install them.

Installation Reference Table 2

Cisco ISE 1.2 Installation Scenarios

Installation Process

Reference

Introducing the Cisco ISE appliance and predeployment requirements

Chapter 2, “Cisco SNS-3400 Series Appliances”

Configuring the Cisco ISE software

Chapter 3, “Installing and Configuring a Cisco SNS-3400 Series Appliance”

Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack”

Installing the initial Cisco ISE software on the VMware Chapter 4, “Installing Release 1.2 Software on a VMware Virtual server Machine” Installing Cisco ISE software on a Cisco NAC Appliance or on a Cisco Secure ACS Appliance

Chapter 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances”

Performing post installation tasks after logging in to the Chapter 7, “Performing Post-Installation Tasks” Cisco ISE web interface

Document Conventions This guide uses the following conventions to convey instructions and information. Convention

Item

bold

Commands, keywords, and user-entered text as well as tab and button names in procedural text appear in bold font.

italic

Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.

courier

Terminal sessions and information the system displays is in courier (monospace, fixed-width) font.



In examples that do not allow italics, such as ASCII outputs, arguments for which you must supply a value appear in brackets.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

-3

Chapter

Note

Caution

Warning

Means reader take note. Notes contain helpful suggestions or references to material that is not discussed in the manual.

Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. SAVE THESE INSTRUCTIONS

Tip

Means the following information will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information, similar to a Timesaver.

Related Documentation Release-Specific Documents Note

General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation is available on Cisco.com at http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html. Table 3

Product Documentation for Cisco Identity Services Engine

Document Title

Location

Release Notes for the Cisco Identity Services http://www.cisco.com/en/US/products/ Engine, Release 1.2 ps11640/prod_release_notes_list.html Cisco Identity Services Engine Network Component Compatibility, Release 1.2

http://www.cisco.com/en/US/products/ ps11640/products_device_support_tables_list.html

Cisco Identity Services Engine User Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/ products_user_guide_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

http://www.cisco.com/en/US/products/ps11640/ prod_installation_guides_list.html

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

-4

OL-27044-01

Chapter Obtaining Documentation and Submitting a Service Request

Table 3

Product Documentation for Cisco Identity Services Engine (continued)

Document Title

Location

Cisco Identity Services Engine Upgrade Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/ prod_installation_guides_list.html

Cisco Identity Services Engine, Release 1.2 Migration Tool Guide.

http://www.cisco.com/en/US/products/ps11640/ prod_installation_guides_list.html

Cisco Identity Services Engine Sponsor Portal User Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/ products_user_guide_list.html

Cisco Identity Services Engine CLI Reference Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/ prod_command_reference_list.html

Cisco Identity Services Engine API Reference Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/ prod_command_reference_list.html

Cisco Identity Services Engine Troubleshooting Guide, Release 1.2.

http://www.cisco.com/en/US/products/ps11640/ prod_troubleshooting_guides_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/products/ps11640/ prod_installation_guides_list.html

Cisco Identity Services Engine In-Box Documentation and China RoHS Pointer Card

http://www.cisco.com/en/US/products/ps11640/ products_documentation_roadmaps_list.html

My Devices Portal FAQs, Release 1.2

http://www.cisco.com/en/US/products/ps11640/ products_user_guide_list.html

Platform-Specific Documents •

Cisco ISE http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html



Cisco NAC Appliance http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html



Cisco NAC Guest Server http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html



Cisco NAC Profiler http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html



Cisco Secure ACS http://www.cisco.com/en/US/products/ps9911/ tsd_products_support_series_home.html



Cisco UCS C-Series Servers http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/ UCS_rack_roadmap.html

Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

-5

Chapter Obtaining Documentation and Submitting a Service Request

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

-6

OL-27044-01

CHAPTER

1

Network Deployments in Cisco ISE This chapter describes several network deployment scenarios, provides information about how to deploy the Cisco Identity Services Engine (ISE) SNS 3400 Series appliance and its related components, and provides a pointer to the switch and Wireless LAN Controller configurations that are needed to support Cisco ISE. This chapter contains the following sections: •

Architecture Overview, page 1-1



Network Deployment Terminology, page 1-2



Node Types and Personas in Distributed Deployments, page 1-3



Standalone and Distributed Deployments, page 1-5



Distributed Deployment Scenarios, page 1-5



Deployment Size and Scaling Recommendations, page 1-10



Inline Posture Planning Considerations, page 1-12



Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions, page 1-13

Architecture Overview Cisco ISE architecture includes the following components: •

Nodes and persona types – Cisco ISE node—A Cisco ISE node can assume any or all of the following personas:

Administration, Policy Service, or Monitoring – Inline Posture node—A gatekeeping node that takes care of access policy enforcement

Note



Network resources



Endpoints

Figure 1-1 shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an Inline Posture node, and a policy information point. The policy information point represents the point at which external information is communicated to the Policy Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-1

Chapter 1

Network Deployments in Cisco ISE

Network Deployment Terminology

Cisco ISE Architecture

282088

Figure 1-1

Network Deployment Terminology The following terms are commonly used when discussing Cisco ISE deployment scenarios: •

Service—A service is a specific feature that a persona provides such as network access, profiling, posture, security group access, monitoring, and troubleshooting.



Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and as software that can be run on VMware.



Node Type—A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node type and persona determine the type of functionality provided by a node.



Persona—The persona or personas of a node determines the services provided by a node. A Cisco ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. The menu options that are available through the administrative user interface depend on the role and personas that a node assumes.



Role—The role of a node determines if it is a standalone, primary, or secondary node and applies only to Administration and Monitoring nodes.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-2

OL-27044-01

Chapter 1

Network Deployments in Cisco ISE Node Types and Personas in Distributed Deployments

Node Types and Personas in Distributed Deployments In a Cisco ISE distributed deployment, there are two types of nodes: •

Cisco ISE node—Administration, Policy Service, Monitoring



Inline Posture node

A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment, with the exception of the Inline Posture node, can assume the Administration, Policy Service, and Monitoring personas. In a distributed deployment, you can have the following combination of nodes on your network: •

Primary and secondary Administration nodes for high availability



A pair of Monitoring nodes for automatic failover



One or more Policy Service nodes for session failover



A pair of Inline Posture nodes for high availability

Related Topics •

Administration Node, page 1-3



Policy Service Node, page 1-3



Monitoring Node, page 1-3



Inline Posture Node, page 1-4

Administration Node A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE. It handles all system-related configurations that are related to functionality such as authentication, authorization, and accounting. In a distributed deployment, you can have one or a maximum of two nodes running the Administration persona. The Administration persona can take on the standalone, primary, or secondary role.

Policy Service Node A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and provides network access to endpoints based on the result of the policy evaluation. You can have more than one node assume this persona. Typically, there is more than one Policy Service node in a distributed deployment. All Policy Service nodes that reside behind a load balancer share a common multicast address and can be grouped to form a node group. If one of the nodes in a node group goes down, the other nodes detect the failure and reset any pending sessions. At least one node in your distributed setup should assume the Policy Service persona.

Monitoring Node A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-3

Chapter 1

Network Deployments in Cisco ISE

Node Types and Personas in Distributed Deployments

node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports. Cisco ISE allows you to have a maximum of two nodes with this persona, and they can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primary Monitoring node. At least one node in your distributed setup should assume the Monitoring persona. We recommend that you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.

Inline Posture Node An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wireless LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access policies after a user has been authenticated and granted access, and handles change of authorization (CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline Posture nodes, and they can take on primary or secondary roles for high availability. The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service, and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of its service, an Inline Posture node cannot assume any persona. For example, it cannot act as an Administration node (offering administration service), or a Policy Service node (offering network access, posture, profile, and guest services), or a Monitoring node (offering monitoring and troubleshooting services). Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture on any one of the following supported platforms: Cisco ISE 3315, Cisco ISE 3355, Cisco ISE 3395, or Cisco SNS 3415.

Inline Posture Node Installation You must download the Inline Posture ISO image from Cisco.com and install it on any of the supported platforms, configure certificates through the CLI, and register this node from the user interface of the primary Administration node. Note

You cannot access the web-based user interface of the Inline Posture nodes. You can configure them only from the primary Administration node. Before you can add an Inline Posture node to a deployment, you must configure a certificate for it and register it with the primary Administration node. See Configuring Certificates for Inline Posture Nodes, page E-34 for more information.

Inline Posture Node Reuse If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it, but you can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline Posture node, you must first deregister it and then reimage the appliance and install Cisco ISE, Release 1.2, on it.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-4

OL-27044-01

Chapter 1

Network Deployments in Cisco ISE Standalone and Distributed Deployments

Standalone and Distributed Deployments A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the Administration, Policy Service, and Monitoring personas. A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a distributed fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. A Cisco ISE node can assume any of the following personas: Administration, Policy Service, and Monitoring. An Inline Posture node cannot assume any other persona, due to its specialized nature and it must be a dedicated node.

Distributed Deployment Scenarios •

Small Network Deployments, page 1-5



Medium-Sized Network Deployments, page 1-7



Large Network Deployments, page 1-8

Small Network Deployments The smallest Cisco ISE deployment consists of two Cisco ISE nodes as shown in Figure 1-2, with one Cisco ISE node functioning as the primary appliance in a small network. Note

Concurrent endpoints represent the total number of supported users and devices. Concurrent endpoints can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming consoles, printers, fax machines, or other types of network devices. The primary node provides all the configuration, authentication, and policy capabilities that are required for this network model, and the secondary Cisco ISE node functions in a backup role. The secondary node supports the primary node and maintains a functioning network whenever connectivity is lost between the primary node and network appliances, network resources, or RADIUS. Centralized authentication, authorization, and accounting (AAA) operations between clients and the primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus, your secondary node is current with the state of your primary node. In a small network deployment, this type of configuration model allows you to configure both your primary and secondary nodes on all RADIUS clients by using this type of deployment or a similar approach.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-5

Chapter 1

Network Deployments in Cisco ISE

Distributed Deployment Scenarios

Small Network Deployment

282092

Figure 1-2

As the number of devices, network resources, users, and AAA clients increases in your network environment, you should change your deployment configuration from the basic small model and use more of a split or distributed deployment model, as shown in Figure 1-3. Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration persona.

Split Deployments In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor the secondary nodes handles all AAA requests during normal network operations because this workload is distributed between the two nodes. The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In addition, splitting the load provides better loading while the functional status of the secondary node is maintained during the course of normal network operations. In split Cisco ISE deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions in the event of a failure. If you have two Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector. Figure 1-3 shows the secondary Cisco ISE node in this role.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-6

OL-27044-01

Chapter 1

Network Deployments in Cisco ISE Distributed Deployment Scenarios

Split Network Deployment

282093

Figure 1-3

In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for growth, as shown in Figure 1-4.

Medium-Sized Network Deployments As small, local networks grow, you can keep pace and manage network growth by adding Cisco ISE nodes to create a medium-sized network. In medium-sized network deployments, you can dedicate the new nodes for all AAA functions, and use the original nodes for configuration and logging functions. As the amount of log traffic increases in a network, you can choose to dedicate one or two of the secondary Cisco ISE nodes for log collection in your network.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-7

Chapter 1

Network Deployments in Cisco ISE

Distributed Deployment Scenarios

Figure 1-4

Medium-Sized Network Deployment

Large Network Deployments We recommend that you use centralized logging (as shown in Figure 1-5) for large Cisco ISE networks. To use centralized logging, you must first set up a dedicated logging server that serves as a Monitoring persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy network can generate. Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog appliance can serve as the collector for outbound logging traffic. A dedicated logging server enables you to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes. See “Cisco ISE Setup Program Parameters” section on page 3-7 when configuring the Cisco ISE software to support a dedicated logging server. You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoring persona on the Cisco ISE node goes down. In large centralized networks, you should use a load balancer (as shown in Figure 1-5), which simplifies the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes the routing of AAA requests to the available servers. However, having only a single load balancer introduces the potential for having a single point of failure. To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover. This configuration requires you to set up two AAA server entries in each AAA client, and this configuration remains consistent throughout the network.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-8

OL-27044-01

Chapter 1

Network Deployments in Cisco ISE Distributed Deployment Scenarios

Large Network Deployment

282094

Figure 1-5

Dispersed Network Deployments Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus with regional, national, or satellite locations elsewhere. The main campus is where the primary network resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and users in different geographical regions and locations. Large remote sites can have their own AAA infrastructure (as shown in Figure 1-6) for optimal AAA performance. A centralized management model helps maintain a consistent, synchronized AAA policy. A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique network requirements.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-9

Chapter 1

Network Deployments in Cisco ISE

Deployment Size and Scaling Recommendations

Dispersed Deployment

282095

Figure 1-6

Before You Plan a Network with Several Remote Sites •

Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the external database that is available for Cisco ISE to access for optimizing AAA performance.



The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible to the AAA clients to reduce network latency effects and the potential for loss of access that is caused by WAN failures.



Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site, which allows for direct, secure console access that bypasses network access to each node.



If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, consider using a Cisco ISE node as a backup for the local site to provide redundancy.



Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access to the external databases.

Deployment Size and Scaling Recommendations This section provides guidance on the size of the physical and virtual machine appliances that you would need for your deployment based the number of endpoints that connect to your network. Table 1-1 provides guidance on the type of deployment, number of Cisco ISE nodes, and the type of appliance (small, medium, large) that you need based on the number of endpoints that connect to your network.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-10

OL-27044-01

Chapter 1

Network Deployments in Cisco ISE Deployment Size and Scaling Recommendations

Table 1-1

Deployment Type Small

Medium

Large

Cisco ISE Deployment—Size and Scaling Recommendations

Maximum Number of Dedicated Policy Service Nodes

Number of Active Endpoints

Number of Nodes/Personas

Appliance Platform

Standalone or redundant (2) nodes with Administration, Policy Service, and Monitoring personas enabled.

Cisco ISE 3300 Series 0 (3315, 3355, 3395)

Maximum of 2,000 endpoints

Cisco ISE 3415

0

Maximum of 5,000 endpoints

Cisco ISE 3495

0

Maximum of 10,000 endpoints

Cisco ISE-3355 or Cisco SNS 3415 appliances for Administration and Monitoring personas

5

Maximum of 5,000 endpoints

Cisco ISE 3395 or Cisco SNS 3495 appliances for Administration and Monitoring personas

5

Maximum of 10,000 endpoints

Cisco ISE 3395 appliances for Administration and Monitoring personas

40

Maximum of 100,000 endpoints

Cisco SNS 3495 appliances for Administration and Monitoring personas

40

Maximum of 250,000 endpoints

Administration and Monitoring personas on single or redundant nodes. Maximum of 2 Administration and Monitoring nodes.

Dedicated Administration node/nodes. Maximum of 2 Administration nodes. Dedicated Monitoring node/nodes. Maximum of 2 Monitoring nodes.

Table 1-2 provides guidance on the type of appliance that you would need for a dedicated Policy Service node based on the number of active endpoints the node services. Table 1-2

Policy Service Node Size Recommendations

Form Factor

Platform Size

Appliance

Maximum Endpoints

Physical

Small

Cisco ISE-3315

3,000

Cisco SNS-3415

5,000

Medium

Cisco ISE-3355

6,000

Large

Cisco ISE-3395

10,000

Cisco SNS-3495

20,000

Comparable to physical appliance

3,000 to 20,000

Virtual Machine

Small/Medium/Large

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-11

Chapter 1

Network Deployments in Cisco ISE

Inline Posture Planning Considerations

Table 1-3 provides the maximum throughput and the maximum number of endpoints that a single Inline Posture node can support. Table 1-3

Inline Posture Node Sizing Recommendations

Attribute

Performance

Maximum number of endpoints per physical appliance

5,000 to 20,000 (gated by Policy Service nodes)

Maximum throughput per any physical appliance

936 Mbps

Inline Posture Planning Considerations A network or system architect is responsible for researching the issues involved in Inline Posture deployment to determine what best suits network requirements. A network or system architect must address the following basic questions when planning to deploy Inline Posture nodes: •

Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE networks support up to two Inline Posture nodes configured on a network at any one time.



What type of Inline Posture operating modes will you choose?

Caution

The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets flooded out of the untrusted interface. This multicast event can potentially bring down devices that are connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.

Caution

Do not change the CLI password for Inline Posture node once it has been added to the deployment. If the password is changed, when you access the Inline Posture node through the Administration node, a Java exception error is displayed and the CLI gets locked. You need to recover the password by using the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original one. If you need to change the password, then deregister the Inline Posture node from the deployment, modify the password, and then add the node to the deployment with the new credentials. Related Topics

Cisco Identity Services Engine User Guide, Release 1.2.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-12

OL-27044-01

Chapter 1

Network Deployments in Cisco ISE Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are successful across the network segment, you must configure your network switches with certain required Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and other settings. Related Topics

For more switch and wireless LAN controller configuration requirements, see Appendix C, “Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,” in Cisco Identity Services Engine User Guide, Release 1.2.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

1-13

Chapter 1

Network Deployments in Cisco ISE

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-14

OL-27044-01

CHAPTER

2

Cisco SNS-3400 Series Appliances This chapter describes Cisco Secure Network Server (SNS) 3415 and 3495 appliances and hardware specifications. •

Cisco SNS-3400 Series Appliance Hardware Specifications, page 2-1



Cisco SNS Support for Cisco ISE, page 2-3

Cisco SNS-3400 Series Appliance Hardware Specifications Cisco SNS-3400 series appliance hardware consists of Cisco SNS 3415 and 3495 appliances. See the Cisco Identity Services Engine (ISE) Data Sheet for the appliance hardware specifications (Table 3). Note

Cisco ISE 1.2 supports an optional redundant power supply unit for Cisco SNS-3415-K9. The part number for the additional power supply to order is UCSC-PSU-650W=.

Cisco SNS-3400 Series Front and Rear Panels Front Panel

Figure 2-1 shows the SNS 3415/3495 front panel.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

2-1

Chapter 2

Cisco SNS-3400 Series Appliances

Cisco SNS-3400 Series Appliance Hardware Specifications

Cisco SNS 3415/3495 Front Panel

4

6 5

1 2 3

HDD4

8

7

HDD1 HDD6

HDD5

9 1 2 3

HDD2 HDD7

HDD3 HDD8

331682

Figure 2-1

10

Power button/power status LED

6

Power supply status LED

Identification button LED

7

Network link activity LED Asset tag (serial number) Keyboard, video, mouse (KVM) connector (used with the KVM cable that provides two USBs, one Video Graphics Adapter (VGA), and one serial connector)

System status LED

8

4

Fan status LED

9

5

Temperature status LED

10 Drives (up to eight hot-swappable, 2 to 5-inch

drives)

Rear Panel

Figure 2-2 shows the SNS 3415/3495 rear panel. Figure 2-2

SNS 3415/3495 Rear Panel

PSU1

2

PSU2

3

4

5

PCIe2

6

7

360856

1

8

9 10

11 12

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

2-2

OL-27044-01

Chapter 2

Cisco SNS-3400 Series Appliances Cisco SNS Support for Cisco ISE

1

Power supplies (up to two)

7

Serial port (RJ-45 connector)

2

Slot 2: Low-profile Peripheral Component Interconnect Express (PCIe) slot on riser (half-height, half-length, x16 connector, x16 lane width)

8

1-GB Ethernet dedicated management port used to access CIMC (labeled M)

3

Slot 1: PCIe1 card containing 1-GB Ethernet ports (GigE2 and GigE3)

9

1-GB Ethernet port 1 (GigE0) for Cisco ISE management communication

4

1-GB Ethernet port 3 (GigE2)

10

1-GB Ethernet port 2 (GigE1)

5

1-GB Ethernet port 4 (GigE3)

11

USB ports

6

VGA video connector

12

Rear identification button

Serial Number Location

The serial number for the server is printed on a label on the top of the server, near the front.

Cisco SNS Support for Cisco ISE The Cisco ISE software run on a dedicated Cisco SNS-3400 series appliance or on a VMware server. Cisco ISE, Release 1.2, software does not support the installation of any other packages or applications on this dedicated platform. See Release Notes for Cisco Identity Service Engine, Release 1.2, for additional hardware, compatibility information. Release 1.2 is also supported on Cisco ISE 3300 series, Cisco NAC 3300 series, and Cisco Secure ACS 1121 appliances. You can upgrade an existing Cisco ISE 3300 series appliance to Release 1.2. For information on Cisco ISE 3300 series appliances, see Chapter 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances.”

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

2-3

Chapter 2

Cisco SNS-3400 Series Appliances

Cisco SNS Support for Cisco ISE

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

2-4

OL-27044-01

CHAPTER

3

Installing and Configuring a Cisco SNS-3400 Series Appliance This chapter describes how to install and configure a Cisco Identity Services Engine (ISE) 3400 Series appliance, and contains the following topics:

Note



Installing the SNS-3400 Series Appliance in a Rack, page 3-1



Downloading the Cisco ISE, Release 1.2 ISO Image, page 3-1



Installing Release 1.2 Software on SNS-3400 Series Appliance, page 3-2



Cisco Integrated Management Controller, page 3-3



Configuring CIMC, page 3-3



Creating a Bootable USB Drive, page 3-5



Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6



Cisco ISE Setup Program Parameters, page 3-7



Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9



Setup Process Verification, page 3-15

Review the configuration prerequisites listed in this chapter before you attempt to configure the Cisco ISE software on a Cisco SNS-3400 series appliance. See Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6 for more information.

Installing the SNS-3400 Series Appliance in a Rack Refer to Appendix A, “Installing the Cisco SNS-3400 Series Appliance in a Rack,” for information on safety guidelines, site requirements, and guidelines that you must observe before installing the Cisco SNS-3400 series appliance.

Downloading the Cisco ISE, Release 1.2 ISO Image You can download the Cisco ISE, Release 1.2 ISO image from Cisco.com.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-1

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance

Installing Release 1.2 Software on SNS-3400 Series Appliance

Note

For Inline Posture nodes, you must download the Inline Posture Node, Release 1.2, ISO and continue with the installation process. See Inline Posture Node Installation, page 1-4 for more information.

Step 1

Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.

Step 2

Click Download Software for this Product. The Cisco ISE, Release 1.2, software image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.

Installing Release 1.2 Software on SNS-3400 Series Appliance If your SNS-3400 series appliance is running Cisco ISE, Release 1.1.x, you have the option to upgrade it to Release 1.2 using the application upgrade command. Refer to the Cisco Identity Services Engine Upgrade Guide, Release 1.2. Alternatively, you can reimage your existing SNS-3400 Series appliance to perform a fresh installation of Release 1.2 and register it to an existing deployment. After you download the ISO image, you can install it on your SNS-3400 Series appliance in any one of the following ways: •





Note

Install the ISO image using the CIMC Remote Management Utility. You must configure the CIMC to perform this remote installation. 1.

Configure CIMC.

2.

Install Cisco ISE, Release 1.2 remotely.

Install the ISO image using a USB flash drive. 1.

Create a bootable USB flash drive using the iso-to-usb.sh script.

2.

Connect the USB flash device to the SNS-3400 Series appliance.

3.

Install Cisco ISE, Release 1.2 using the local KVM or remotely using the CIMC KVM.

Install the ISO using an external DVD drive with a USB port. 1.

Burn the ISO image on to a DVD.

2.

Connect the external USB DVD to the SNS-3400 Series appliance.

3.

Install Cisco ISE 1.2, Release 1.2 via the local KVM or remotely using the CIMC KVM.

For installing Release 1.2 using a USB flash device or an external DVD with a USB port, CIMC configuration is optional. Choose one of these options if you do not prefer a remote installation. Related Topics •

Configuring CIMC, page 3-3



Creating a Bootable USB Drive, page 3-5



Cisco ISE Setup Program Parameters, page 3-7

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-2

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco Integrated Management Controller



Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

Cisco Integrated Management Controller You can monitor the server and system event logs using the built-in Cisco Integrated Management Controller (CIMC) GUI or CLI interfaces. See the user documentation for your release at the following URL: http://www.cisco.com/en/US/products/ps10739/products_installation_and_configuration_guides _list.html

Configuring CIMC You can perform all operations on Cisco SNS-3400 series appliance through the CIMC. To do this, you must first configure an IP address and IP gateway to access the CIMC from a web-based browser. Step 1

Plug in the power cord.

Step 2

Press the Power button to boot the server. Watch for the prompt to press F8 as shown in the following figure.

Step 3

During bootup, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following screen appears.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-3

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance

Configuring CIMC

Step 4

Set the NIC mode to specify which ports access the CIMC for server management (see Figure 2-2 on page 2-2 for identification of the ports). Cisco ISE can use up to four Gigabit Ethernet ports. Choose Dedicated NIC mode, set NIC redundancy to None as described in Step 5, and select IP settings. – Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select

NIC redundancy None and select IP settings. – Shared LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC. This is the

factory default setting, along with active-active NIC redundancy and DHCP enabled. – Cisco Card—The ports on an installed Cisco UCS P81E VIC are used to access the CIMC. You

must select a NIC redundancy and IP setting. Note

Step 5

The Cisco Card NIC mode is currently supported only with a Cisco UCS P81E VIC (N2XX-ACPCI01) that is installed in PCIe slot 1. See Special Considerations for Cisco UCS Virtual Interface Cards.

Specify the NIC redundancy setting: – None—The Ethernet ports operate independently and do not fail over if there is a problem. – Active-standby—If an active Ethernet port fails, traffic fails over to a standby port. – Active-active—All Ethernet ports are utilized simultaneously.

Step 6

Choose whether to enable DHCP for dynamic network settings or to enter static network settings. Note

Step 7

Before you enable DHCP, this DHCP server must be preconfigured with the range of MAC addresses for the server. The MAC address is printed on a label on the rear of the server. This server has a range of six MAC addresses assigned to the CIMC. The MAC address printed on the label is the beginning of the range of six contiguous MAC addresses.

(Optional) Specify VLAN setting and set a default CIMC user password.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-4

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Creating a Bootable USB Drive

Note

Step 8

Changes to the settings take effect after approximately 45 seconds. Press F5 to refresh and wait until the new settings appear before you reboot the server in the next step.

Press F10 to save your settings and reboot the server. Note

If you chose to enable DHCP, the dynamically assigned IP and MAC addresses are displayed on the console screen during bootup.

What To Do Next

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

Creating a Bootable USB Drive The Cisco ISE, Release 1.2, ISO image contains an “images” directory that has a Readme file and a script to create a bootable USB drive to install Cisco ISE, Release 1.2. Before You Begin •

Ensure that you have read the Readme file in the “images” directory



You need the following: – Linux machine with RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x.

If you are using a PC or MAC, ensure that you have installed a Linux virtual machine (VM) running RHEL-5.x, RHEL-6.x, CentOS-5.x, or CentOS-6.x. – An 8-GB USB drive – The iso-to-usb.sh script Step 1

Plug the USB drive into the USB port.

Step 2

Unmount the USB drive from Linux CLI or GUI without removing the USB device. From the CLI, enter the following command: umount /dev/sdb where /dev/sdb is the USB device. Note

Do not choose the “Safely Remove Drive” or “Eject” options from the GUI.

Step 3

Copy the iso-to-usb.sh script and the Cisco ISE, Release 1.2, ISO image to a directory on the Linux machine.

Step 4

Change the permissions of the script using the chmod command. For example, # chmod u+x iso-to-usb.sh.

Step 5

As root user, enter the following command: iso-to-usb.sh source_iso usb_device For example, # ./iso-to-usb.sh ise-1.2.0.434-x86_64.iso /dev/sdb where iso-to-usb.sh is the name of the script, ise-1.2.0.434-x86_64.iso is the name of the ISO image, and /dev/sdb is your USB device.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-5

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance

You might have to use the su command to switch to the root user account. You can also use the sudo command to execute the script with root permissions. Step 6

Enter a value for the appliance that you want to install the image on.

Step 7

Enter Y to continue.

Step 8

A success message appears.

Step 9

Unplug the USB drive.

What To Do Next

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9

Prerequisites for Configuring a Cisco SNS-3400 Series Appliance Cisco SNS-3400 series appliances are preinstalled with the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) and the Cisco ISE, Release 1.2, software. Make sure that you identify all of the following configuration settings for each node in your deployment before proceeding: •

Hostname



IP address for the Gigabit Ethernet 0 (eth0) interface



Netmask



Default gateway



Domain Name System (DNS) domain



Primary name server



Primary Network Time Protocol (NTP) server



System time zone



Username (username for CLI-admin user)



Password (password for CLI-admin user)

For details about the differences between the CLI-admin user and web-based admin user rights, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1. If you are installing Cisco ISE on an SNS-3400 series appliance, download the Cisco ISE, Release 1.2, ISO image, and use any one of the following options to configure the Cisco ISE, Release 1.2, software on the appliance: •

Configure the Cisco Integrated Management Interface (CIMC) and use it to install Cisco ISE, Release 1.2. See Configuring CIMC, page 3-3.



Create a bootable USB Drive and use it to install Cisco ISE, Release 1.2. See Creating a Bootable USB Drive, page 3-5.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-6

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Cisco ISE Setup Program Parameters

Note

In case you have purposefully deleted the RAID configuration on the Cisco SNS-3400 series appliance, you must reinstall Cisco ISE, Release 1.2, using CIMC or the USB bootable drive. While using the USB bootable drive to reinstall Cisco ISE, you must manually configure RAID using the webBIOS. For more information on installing Cisco ISE using CIMC, see Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance, page 3-9. For more information on using the USB bootable drive to install Cisco ISE, see Creating a Bootable USB Drive, page 3-5.

If you are installing Cisco ISE on Cisco ISE-3300 series, Cisco Secure ACS, or Cisco NAC appliances, download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install Cisco ISE, Release 1.2. See Appendix 5, “Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances,” for the supported Cisco Secure ACS and Cisco NAC platforms.

Cisco ISE Setup Program Parameters When the Cisco ISE software configuration begins, an interactive CLI prompts you to enter required parameters to configure the system. (See Table 3-1).

Ensure that the DNS and NTP servers are reachable after you run Setup and whenever a Cisco ISE node reboots in the deployment. Note

Table 3-1

If you are installing Cisco ISE software on a VMware server, Cisco ISE also installs and configures VMware Tools, Version 8.3.2, during the initial setup. To verify the installation, see Verifying the Installation of VMware Tools, page 7-6.

Cisco ISE Setup Program Parameters

Prompt

Description

Example

Hostname

Must not exceed 15 characters. Valid characters include alphanumerical (A–Z, a–z, 0–9), and the hyphen (-). The first character must be a letter.

isebeta1

Note

We recommend that you use lowercase letters to ensure that certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verifications. You cannot use “localhost” as the hostname for a node.

(eth0) Ethernet interface address

Must be a valid IPv4 address for the Gigabit Ethernet 0 (eth0) interface.

10.12.13.14

Netmask

Must be a valid IPv4 netmask.

255.255.255.0

Default gateway

Must be a valid IPv4 address for the default gateway.

10.12.13.1

DNS domain name Cannot be an IP address. Valid characters include ASCII characters, example.com any numerals, the hyphen (-), and the period (.). Primary name server

Must be a valid IPv4 address for the primary name server.

10.15.20.25

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-7

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance

Cisco ISE Setup Program Parameters

Table 3-1

Cisco ISE Setup Program Parameters (continued)

Prompt

Description

Example

Add/Edit another name server

Must be a valid IPv4 address for an additional name server.

(Optional) Allows you to configure multiple name servers. To do so, enter y to continue.

Primary NTP server

Must be a valid IPv4 address or hostname of a Network Time Protocol clock.nist.gov (NTP) server.

Add/Edit another NTP server

Must be a valid NTP domain.

(Optional) Allows you to configure multiple NTP servers. To do so, enter y to continue.

System Time Zone Must be a valid time zone. For details, see Cisco Identity Services UTC (default) Engine CLI Reference Guide, Release 1.1.x, which provides a list of time zones that Cisco ISE supports. For example, for Pacific Standard Time (PST), the System Time Zone is PST8PDT (or Coordinated Universal Time (UTC) minus 8 hours). The time zones referenced in the CLI Reference Guide are the most frequently used time zones. You can run the show timezones command from the Cisco ISE CLI for a complete list of supported time zones. Note

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

Username

admin (default) Identifies the administrative username used for CLI access to the Cisco ISE system. If you choose not to use the default (admin), you must create a new username. The username must be three to eight characters in length and be composed of valid alphanumeric characters (A–Z, a–z, or 0–9).

Password

Identifies the administrative password that is used for CLI access to MyIseYPass2 the Cisco ISE system. You must create this password because there is no default. The password must be a minimum of six characters in length and include at least one lowercase letter (a–z), one uppercase letter (A–Z), and one numeral (0–9).

Note

For details about the web-based administrator username and password, see Verifying a Configuration Using a Web Browser, page 7-4.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-8

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance After you configure the CIMC for your appliance, you can use it to manage a Cisco SNS-3400 series appliance. You can perform all operations including BIOS configuration through the CIMC. Note

To configure VMware servers, see Configuring a VMware System to Boot From a Cisco ISE Software DVD, page 4-17. Before You Begin •

Ensure that you have configured the CIMC on your appliance. See Configuring CIMC, page 3-3 for more information.



Ensure that you have properly installed, connected, and powered up the supported appliance by following the recommended procedures. See Connecting and Powering On the Server, page A-7 and Checking the LEDs, page A-8.



Ensure that you have the Cisco ISE, Release 1.2, ISO image on the client machine from which you are accessing the CIMC or you have a bootable USB with the image for installation. See Creating a Bootable USB Drive, page 3-5.



Cisco ISE appliances track time internally using UTC time zones. If you do not know your specific time zone, you can enter one based on the city, region, or country where the Cisco ISE appliance is located. See Table 3-2, Table 3-3, and Table 3-4 for sample time zones. We recommend that you configure the preferred time zone (the default is UTC) during installation when the setup program prompts you to configure the setting.

Step 1

Connect to the CIMC for server management. Connect the Ethernet cables from the LAN to the server using the ports selected by the Network Interface Card (NIC) Mode setting. The active-active and active-passive NIC redundancy settings require you to connect to two ports.

Step 2

Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is based on the CIMC configuration that you made (either a static address or the address assigned by the Dynamic Host Configuration Protocol (DHCP) server). Note

The default username for the server is admin. The default password is password.

Step 3

Click Launch KVM Console.

Step 4

Use your CIMC credentials to log in.

Step 5

Click the Virtual Media tab.

Step 6

Click Add Image to choose the Cisco ISE, Release 1.2, ISO image from the system running your client browser.

Step 7

Check the Mapped check box against the virtual CD/DVD drive that you have created.

Step 8

Click the KVM tab.

Step 9

Choose Macros > Ctrl-Alt-Del to boot the SNS-3400 series appliance using the ISO image. A screen similar to the one shown in the following figure appears.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-9

Chapter 3 Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Installing and Configuring a Cisco SNS-3400 Series Appliance

Step 10

Press F6 to bring up the boot menu. A screen similar to the following one appears.

Step 11

Choose the CD/DVD that you mapped and press Enter. A screen similar to the following one appears.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-10

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Step 12

At the boot prompt, enter 1 and press Enter. ********************************************** Please type 'setup' to configure the appliance **********************************************

Step 13

At the prompt, type setup to start the setup program. You are prompted to enter networking parameters and credentials. The following illustrates a sample setup program and default prompts: Enter hostname[]: ise-server-1 Enter IP address[]: 10.1.1.10 Enter Netmask[]: 255.255.255.0 Enter IP default gateway[]: 172.10.10.10 Enter default DNS domain[]: cisco.com Enter Primary nameserver[]: 200.150.200.150 Add/Edit another nameserver? Y/N: n Enter primary NTP domain[]: clock.cisco.com Add/Edit another NTP domain? Y/N: n Enable SSH?: Y/N Enter system time zone[]: UTC Enter username [admin]: admin Enter password: Enter password again: Bringing up the network interface... Pinging the gateway... Pinging the primary nameserver... Do not use `Ctrl-C' from this point on... Virtual machine detected, configuring VMware tools... Appliance is configured Installing applications... Installing ISE... Application bundle (ise) installed successfully ===Initial Setup for Application: ise=== Welcome to the ISE initial setup. The purpose of this setup is to provision the internal ISE database. This setup is non-interactive, and will take roughly 15 minutes to complete.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-11

Chapter 3 Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Installing and Configuring a Cisco SNS-3400 Series Appliance

Running database cloning script... Running database network config assistant tool... Extracting ISE database contents... Starting ISE database processes... ... Note

An “Installing ISE-IPEP” message appears when you install the Inline Posture node, Release 1.2, ISO image and you will see an “Application bundle (ISE-IPEP) installed successfully” message.

Note

A “Virtual machine detected, configuring VMware tools...” message appears only if Cisco ISE is installed on a virtual machine. After the Cisco ISE or Inline Posture node software is configured, the Cisco ISE system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup.

Step 14

If you installed the Inline Posture node ISO image, go to Configuring Certificates for Inline Posture Nodes, page E-34.

Step 15

If you installed the Cisco ISE, Release 1.2, ISO image, log in to the Cisco ISE CLI shell, and run the following CLI command to check the status of the Cisco ISE application processes: ise-server/admin# show application status ise ISE Database listener is running, PID: 4845 ISE Database is running, number of processes: 27 ISE Application Server is running, PID: 6344 ISE M&T Session Database is running, PID: 4502 ISE M&T Log Collector is running, PID: 6652 ISE M&T Log Processor is running, PID: 6738 ISE M&T Alert Process is running, PID: 6542 ise-server/admin#

Step 16

After you confirm that the Cisco ISE Application Server is running, you can log in to the Cisco ISE user interface by using one of the supported web browsers. (See Accessing Cisco ISE Using a Web Browser, page 7-1.) To log in to the Cisco ISE user interface using a web browser, enter https:///admin/ in the Address field: Here “your-ise-hostname or IP address” represents the hostname or IP address that you configured for the Cisco SNS-3400 series appliance during setup.

Step 17

At the Cisco ISE Login window, you are prompted to enter the web-based admin login credentials (username and password) to access the Cisco ISE user interface. You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. After you log in to the Cisco ISE user interface, you can then configure your devices, user stores, policies, and other components.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-12

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

The username and password credentials that you use for web-based access to the Cisco ISE user interface are not the same as the CLI-admin user credentials that you created during the setup for accessing the Cisco ISE CLI interface. For an explanation of the differences between these two types of admin users, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.

Caution

Changing the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. For details about the impact of changing time zones, see “clock time zone” in Appendix A in the Cisco Identity Services Engine CLI Reference Guide, Release 1.1.2.

Supported Time Zones This section provides three tables that provide more information about common Coordinated Universal Time (UTC) time zones for Europe, the United States and Canada, Australia, and Asia. Note

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture agent log files from the various nodes in the deployment are always synchronized with regard to the time stamps.

The format for time zones is POSIX or System V. POSIX time zone format syntax looks like America/Los_Angeles, and System V time zone syntax looks like PST8PDT. •

For time zones in Europe, the United States, and Canada, see Table 3-2.



For time zones in Australia, see Table 3-3.



For time zones in Asia, see Table 3-4.

Table 3-2

Europe, United States, and Canada Time Zones

Acronym or Name

Time Zone Name

Europe

GMT, GMT0, GMT-0, Greenwich Mean Time, as UTC GMT+0, UTC, Greenwich, Universal, Zulu GB

British

GB-Eire, Eire

Irish

WET

Western Europe Time, as UTC

CET

Central Europe Time, as UTC plus 1 hour

EET

Eastern Europe Time, as UTC plus 2 hours

United States and Canada

EST, EST5EDT

Eastern Standard Time, as UTC minus 5 hours

CST, CST6CDT

Central Standard Time, as UTC minus 6 hours

MST, MST7MDT

Mountain Standard Time, as UTC minus 7 hours

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-13

Chapter 3 Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance

Table 3-2

Installing and Configuring a Cisco SNS-3400 Series Appliance

Europe, United States, and Canada Time Zones (continued)

Acronym or Name

Time Zone Name

PST, PST8PDT

Pacific Standard Time, as UTC minus 8 hours

HST

Hawaiian Standard Time, as UTC minus 10 hours

Table 3-3

Australia Time Zones

Australia1 ACT2

Adelaide

Brisbane

Broken_Hill

Canberra

Currie

Darwin

Hobart

Lord_Howe

Lindeman

North

NSW

South West

4

LHI

3

Melbourne

Perth

Queensland

Sydney

Tasmania

Victoria

Yancowinna





1. Enter the country and city together with a forward slash (/) between them; for example, Australia/Currie. 2. ACT = Australian Capital Territory 3. LHI = Lord Howe Island 4. NSW = New South Wales

Table 3-4

Asia Time Zones

Asia1 Aden2

Almaty

Amman

Anadyr

Aqtau

Aqtobe

Ashgabat

Ashkhabad

Baghdad

Bahrain

Baku

Bangkok

Beirut

Bishkek

Brunei

Kolkata

Choibalsan

Chongqing

Columbo

Damascus

Dhakar

Dili

Dubai

Dushanbe

Gaza

Harbin

Hong_Kong

Hovd

Irkutsk

Istanbul

Jakarta

Jayapura

Jerusalem

Kabul

Kamchatka

Karachi

Kashgar

Katmandu

Kuala_Lumpur

Kuching

Kuwait

Krasnoyarsk





1. The Asia time zone includes cities from East Asia, Southern Southeast Asia, West Asia, and Central Asia. 2. Enter the region and city or country together separated by a forward slash (/); for example, Asia/Aden.

Note

The Cisco ISE CLI show timezones command displays a list of all time zones available to you. Choose the most appropriate one for your network location.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-14

OL-27044-01

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance Setup Process Verification

Setup Process Verification To verify that you have correctly completed the initial setup process, use one of the following two methods to log in to the Cisco ISE appliance: •

Web browser



Cisco ISE CLI

After you log in to the Cisco ISE user interface, you should perform the following tasks: •

“Installing a License” section on page 7-3



“Configuring the Cisco ISE System” section on page 7-10

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

3-15

Chapter 3

Installing and Configuring a Cisco SNS-3400 Series Appliance

Setup Process Verification

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

3-16

OL-27044-01

CHAPTER

4

Installing Release 1.2 Software on a VMware Virtual Machine This chapter describes the system requirements for installing the Cisco Identity Services Engine (ISE), Release 1.2 software on a VMware virtual machine (VM). The following topics provide information about the installation process:

Note



Supported VMware Versions, page 4-1



Support for VMware vMotion in Release 1.2, page 4-2



Virtual Machine Requirements, page 4-2



Evaluating Release 1.2, page 4-5



Configuring a VMware ESX or ESXi Server, page 4-5



Preparing a VMware System for Cisco ISE Software Installation, page 4-17



Installing Cisco ISE Software on a VMware System, page 4-19



Connecting to a Cisco ISE VMware Server Using the Serial Console, page 4-21



Cloning a Cisco ISE Virtual Machine, page 4-24

The Inline Posture node is supported only on Cisco SNS-3415 and Cisco ISE 3300 series appliances. It is not supported on Cisco SNS-3495 series or VMware server systems. All the other designated roles are supported for use on VMware virtual machines.

Supported VMware Versions Cisco ISE supports the following VMware servers and clients:

Note



VMware Elastic Sky X (ESX), version 4.0, 4.0.1, and 4.1



VMware ESXi, version 4.x and 5.x



VMware vSphere Client 4.x and 5.x

Cisco ISE, Release 1.2, supports the VMware vMotion feature (live migration of virtual machines from one server to another).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-1

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Support for VMware vMotion in Release 1.2

Support for VMware vMotion in Release 1.2 Cisco ISE, Release 1.2, supports the VMware vMotion feature that allows you to migrate live virtual machine (VM) instances (running any persona) between hosts. For the VMware vMotion feature to be functional, the following conditions must be met: •

Shared storage—The storage for the VM must reside on a storage area network (SAN), and the SAN must be accessible by all the VMware hosts that can host the VM being moved.



VMFS volume sharing—The VMware host must use shared virtual machine file system (VMFS) volumes.



Gigabit Ethernet interconnectivity—The SAN and the VMware hosts must be interconnected with Gigabit Ethernet links.



Processor compatibility—A compatible set of processors must be used. Processors must be from the same vendor and processor family for vMotion compatibility.

Virtual Machine Requirements Table 4-1 lists the minimum system requirements to install Cisco ISE, Release 1.2, software on a VMware virtual machine and support 100 endpoints. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the VMware virtual machine should be allocated system resources equivalent to the Cisco SNS 3415 and 3495 appliances. Refer to the Deployment Size and Scaling Recommendations, page 1-10 and VMware Appliance Size Recommendations, page 4-3 for details. Table 4-1

Minimum VMware System Requirements

Requirement Type

Minimum Requirements

CPU

Single Quad-Core; 2.0 GHz or faster

Memory

4 to 32 GB RAM

Hard disks

200 GB to 2 TB of disk storage (size depends on deployment and tasks). Refer to Table 4-3 for more details. We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM. The Cisco ISE VM requires a minimum write bandwidth of 50 MB per second. This write bandwidth can be easily achieved if the hosting environment uses 10,000 RPM disks. Note



Storage

When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the storage requirement. If you use more than one disk to meet the disk space requirement, the installer may not recognize all the disk space.

File System—VMFS We recommend that you use VMFS for storage. Other storage protocols are not tested and might result in some file system errors.



Internal Storage—SCSI/SAS



External Storage—iSCSI/SAN We do not recommend the use of NFS storage.

Disk controller

SCSI controller

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-2

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Virtual Machine Requirements

Table 4-1

Minimum VMware System Requirements (continued)

Requirement Type

Minimum Requirements

NIC

1 GB NIC interface required (two or more NICs are recommended) Note

Hypervisor

When creating network connections for any NICs that you configure, we recommend that you select E1000 from the Adapter drop-down list. Cisco ISE, Release 1.2, supports the E1000 and VMXNET3 adapters for all NICs. It does not support any other virtual NIC drivers. See Step 10 in Configuring a VMware Server, page 4-9.

See Supported VMware Versions, page 4-1.

VMware Appliance Size Recommendations The VMware appliance specification should be comparable with the physical appliances. Table 4-2 lists the recommended VMware specification for the physical appliances in a production environment. Table 4-2

VMware Appliance Specifications for a Production Environment

Platform Processor

1

Memory 2

Total Disk Space Ethernet NICs

3

SNS-3415

SNS-3495

Single socket Intel E5-2609 2.4 Ghz CPU

Dual socket Intel E5-2609 2.4 Ghz CPU

4 total cores

8 total cores

16 GB

32 GB

600 GB

600 GB

4 x Integrated Gigabit NICs

4 x Integrated Gigabit NICs

1. Virtual machine resources should be dedicated. The VM resources should not be shared or oversubscribed across multiple VMs. 2. Policy Service nodes on virtual machines can be deployed with less disk space than Administration or Monitoring nodes. It is recommended to have 150 to 200 GB of disk space for Policy Service nodes. Refer to “Recommended VMware Disk Space” for information on the amount of disk space required for the various personas. 3. Virtual machines can be configured with 1 to 4 NICs. The recommendation is to allow for 2 or more NICs. Additional interfaces can be used to support various services such as profiling or RADIUS. Refer to Appendix C, “Cisco SNS-3400 Series Appliance Ports Reference” for details about the services that are supported on each of the ports.

Cisco ISE, Release 1.2 can be installed on virtual machines based on legacy appliance specifications, but for better performance, we recommend that you deploy new virtual machines based on the SNS-3400 series appliance specifications.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-3

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Virtual Machine Requirements

Disk Space Requirements Table 4-3 lists the Cisco ISE disk-space allocation recommended for running a VMware server in a production deployment. Use the supported VMware ESX and ESXi server versions listed in Table 4-1 for running the Cisco ISE software. Table 4-3

Recommended VMware Disk Space

ISE Persona

Minimum Disk Space

Maximum Disk Space

Recommended Disk Space for Production

Standalone ISE

200 GB

2 TB

600 GB to 2 TB1

Distributed ISE — Administration only2

200 GB

2 TB

250 to 300 GB

Distributed ISE —Monitoring only

200 GB

2 TB

600 GB to 2 TB1

Distributed ISE — Policy Service only2

100 GB

2 TB

150 to 200 GB

Distributed ISE — Administration and Monitoring

200 GB

2 TB

600 GB to 2 TB 1

Distributed ISE — Administration, Monitoring, and Policy Service

200 GB

2 TB

600 GB to 2 TB

1. Disk allocation varies based on logging retention requirements. See Table 4-4 for details. 2. Additional disk space may be allocated to support local logging, and to store the backup and upgrade files on the local disk.

Cisco ISE must be installed on a single disk in VMware. Note

You can allocate only up to 2 TB of disk space for a Cisco ISE, Release 1.2, virtual machine (VM). On any node that has the Monitoring persona enabled, 30 percent of the VM disk space is allocated for log storage. A deployment with 25,000 endpoints generates approximately 1 GB of logs per day. For example, if you have a Monitoring node with 600-GB VM disk space, 180 GB is allocated for log storage. If 100,000 endpoints connect to this network every day, it generates approximately 4 GB of logs per day. In this case, you can store 38 days of logs in the Monitoring node, after which you must transfer the old data to a repository and purge it from the Monitoring database. For extra log storage, you can increase the VM disk space. For every 100 GB of disk space that you add, you get 30 GB more for log storage. Depending on your requirements, you can increase the VM disk size up to a maximum of 2 TB or 614 GB of log storage. If you increase the disk size of your virtual machine, you must not upgrade to Cisco ISE 1.2, but instead do a fresh installation of Cisco ISE 1.2 on your virtual machine. Table 4-4 provides the number of days that logs can be retained on your Monitoring node based on the disk space allotted to it and the number of endpoints that connect to your network. Table 4-4

Days that Logs can be Stored in a Monitoring Node1

No. of Endpoints

200 GB

400 GB

600 GB

1024 GB

2048 GB

10,000

126

252

378

645

1,289

20,000

63

126

189

323

645

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-4

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Evaluating Release 1.2

Table 4-4

Days that Logs can be Stored in a Monitoring Node1 (continued)

No. of Endpoints

200 GB

400 GB

600 GB

1024 GB

2048 GB

30,000

42

84

126

215

430

40,000

32

63

95

162

323

50,000

26

51

76

129

258

100,000

13

26

38

65

129

150,000

9

17

26

43

86

200,000

7

13

19

33

65

250,000

6

11

16

26

52

1. Numbers are based on having log suppression and anomalous client detection enabled.

Evaluating Release 1.2 For evaluation purposes, Cisco ISE, Release 1.2, can be installed on any supported VMware virtual machines (VMs) that comply with the requirements shown in Table 4-1. When evaluating Release 1.2, you can configure less disk space in the VM, but you still are required to allocate a minimum disk space of 100 GB. Note

You cannot migrate data to a production VM from a VM created with less than 200 GB of disk space. You can migrate data only from VMs created with 200 GB or more disk space to a production environment. To obtain the Cisco ISE, Release 1.2 evaluation software (R-ISE-EVAL-K9=), contact your Cisco Account Team or your Authorized Cisco Channel Partner. To migrate a Cisco ISE configuration from an evaluation system to a fully licensed production system, you need to complete the following tasks:

Note



Back up the configuration of the evaluation version.



Ensure that your production VM has the required amount of disk space. Refer to Deployment Size and Scaling Recommendations, page 1-10 for details.



Install a production deployment license.



Restore the configuration to the production system.

For evaluation, the minimum allocation requirements for a hard disk on a VMware server that supports 100 users is 100 GB. When you move the VMware server to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size that is listed in Table 4-3 or higher (up to the allowed maximum of 2 TB).

Configuring a VMware ESX or ESXi Server This section describes how to configure a VMware ESX or ESXi server on a VMware virtual machine.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-5

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Configuring a VMware ESX or ESXi Server

To perform the following procedures, you must log in to the ESXi server as a user with administrative privileges (root user). The values that are provided in the following procedures and illustrations are examples only. Actual values depend on your deployment requirements. Before You Begin

Before you configure a VMware ESX or ESXi server, read the following: •

Cisco ISE, Release 1.2, is a 64-bit system. Before you install a 64-bit system, ensure that Virtualization Technology (VT) is enabled on the ESX/ESXi server. Also, ensure that the virtual machine’s guest operating system is set to 64 bits. See Enabling Virtualization Technology on an ESX or ESXi Server, page 4-7 for more information. For information on hardware and firmware requirements to support 64-bit, guest-operating systems, refer to the following VMware Knowledge Base: http://kb.vmware.com/selfservice/microsites/search.do?language=en _US&cmd=displayKC&externalId=1011712



You must also ensure that your guest operating system type is set to Red Hat Enterprise Linux 5 (64-bit). Refer to http://kb.vmware.com/selfservice/microsites/search.do?language=en _US&cmd=displayKC&externalId=1005870 for information on how to set your guest operating system type.



For Red Hat Enterprise Linux 5, the default NIC type is E1000. We recommend that you choose E1000 Adapter. Cisco ISE also supports VMXNET3 Adapter. You can add up to four NICs for your Cisco ISE virtual machine, but ensure that you choose the same Adapter for all the NICs. Cisco ISE, Release 1.2, does not support the VMXNET2 Adapter.



Ensure that you allocate the recommended amount of disk space on the VMware virtual machine. See Table 4-3 on page 4-4 for more details.



If you have not created a VMware virtual machine file system (VMFS), you must create one to support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured on the VMware host. – If you use VMFS5, the 1-MB block size supports up to 2 TB virtual disk size. – If you use VMFS3, you must choose a VMFS block size based on the largest virtual-disk size

hosted on the VMware host. After you configure the VMFS block size, you cannot change it without reformatting the VMFS partitions. For VMFS3, the VMFS block size should be based on the size of the largest virtual disk: Table 4-5

VMFS Block Size

Block Size

Virtual Disk Size

1 MB

256 GB

2 MB

512 GB

4 MB

1 TB

8 MB

2 TB



Do not choose VMware thin provisioning as a storage type. This release of the Cisco ISE software does not support using VMware thin provisioning as a storage type on any of the supported VMware servers. Thin provisioning is not a default setting and Cisco advises against selecting it in Step 13 (as shown in Figure 4-13).



If you are enabling the Profiler service, ensure that you have read and performed the tasks described in Configuring VMware Server Interfaces for the Cisco ISE Profiler Service, page 4-8.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-6

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Configuring a VMware ESX or ESXi Server

Enabling Virtualization Technology on an ESX or ESXi Server Cisco ISE, Release 1.2, is a 64-bit system, and supports VMware ESX versions 4.0, 4.0.1, and 4.1, and ESXi versions 4.x and 5.x. These ESX and ESXi versions can be installed only on 64-bit hardware. Therefore, you can reuse the same hardware that you used for hosting a Cisco ISE, Release 1.1.x, virtual machine with Release 1.2. However, before you install Release 1.2, you must enable Virtualization Technology (VT) on the ESX or ESXi server. If you have an ESX or ESXi server installed already, you can check if VT is enabled on it without rebooting the machine. To do this, use the esxcfg-info command. Here is an example: ~ # esxcfg-info |grep "HV Support" |----HV Support............................................3 |----World Command Line.................................grep HV Support

If HV Support has a value of 3, then VT is enabled on the ESX or ESXi server and you can proceed with the installation. If HV Support has a value of 2, then VT is supported, but not enabled on the ESX or ESXi server. You must edit the BIOS settings and enable VT on the ESX or ESXi server. For more information about the esxcfg-info command, refer to the VMware Knowledge Base at: http://kb.vmware.com/selfservice/microsites/search.do?language=en _US&cmd=displayKC&externalId=1011712 This section describes how to edit the BIOS settings and enable VT on an SNS-3400 series appliance. The instructions and illustrations in this section are examples only. The BIOS menu for your hardware might vary from what you see in this example. Refer to the following VMware Knowledge Base for enabling VT on your ESX or ESXi server: http://kb.vmware.com/selfservice/microsites/search.do?language=en _US&cmd=displayKC&externalId=1003944 Step 1

Reboot the SNS-3400 series appliance.

Step 2

Press F2 to enter setup.

Step 3

Choose Advanced > Processor Configuration. Figure 4-1

Editing the BIOS Setting on an SNS-3400 Series Appliance

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-7

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Configuring a VMware ESX or ESXi Server

Step 4

Select Intel(R) VT and enable it. Figure 4-2

Step 5

Enabling VT on an SNS-3400 Series Appliance

Press F10 to save your changes and exit.

Configuring VMware Server Interfaces for the Cisco ISE Profiler Service To configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service, perform the following steps: Step 1

Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance) > VMswitch0 (one of your VMware ESXi server interfaces) > Properties > Security.

Step 2

In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.

Step 3

In the Promiscuous Mode drop-down list, choose Accept and click OK. Repeat the same steps on the other VMware ESX server interface used for profiler data collection of SPAN or mirrored traffic.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-8

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Configuring a VMware ESX or ESXi Server

Figure 4-3

VMNetwork Properties Window

Configuring a VMware Server This section describes how to configure VMware servers by using the VMware vSphere Client. Step 1

Log in to the ESXi server.

Step 2

In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual Machine.

Step 3

In the Configuration dialog box, choose Custom for the VMware configuration, as shown in Figure 4-4, and click Next.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-9

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Configuring a VMware ESX or ESXi Server

Figure 4-4

Virtual Machine Configuration Dialog Box

The Name and Location dialog box appears (see Figure 4-5). Step 4

Tip

Enter a name for the VMware system and click Next.

Use the hostname that you want to use for your VMware host. Figure 4-5

Name and Location Dialog Box

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-10

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Configuring a VMware ESX or ESXi Server

The Datastore dialog box appears (see Figure 4-6). Step 5

Choose a datastore that has the recommended amount of space available and click Next. Refer to Table 4-3 for details. Figure 4-6

Datastore Dialog Box

The Virtual Machine Version dialog box appears. Step 6

(Optional) If your VM host or cluster supports more than one VMware virtual machine version, choose a Virtual Machine version such as Virtual Machine Version 7, and click Next (see Figure 4-7).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-11

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Configuring a VMware ESX or ESXi Server

Figure 4-7

Virtual Machine Version

The Guest Operating System dialog box appears (see Figure 4-8). Step 7

Choose Linux and Red Hat Enterprise Linux 5 (64-bit) from the Version drop-down list. Figure 4-8

Guest Operating System Dialog Box

The Number of Virtual Processors dialog box appears (see Figure 4-9).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-12

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Configuring a VMware ESX or ESXi Server

Step 8

Choose 2 from the Number of virtual sockets and the Number of cores per virtual socket drop-down list. Total number of cores should be 4. Refer to “VMware Appliance Specifications for a Production Environment” for details. Click Next. Figure 4-9

Number of Virtual Processors Dialog Box

(Optional; appears in some versions of ESX server. If you see only the Number of virtual processors, choose 4). The Memory Configuration dialog box appears (see Figure 4-10). Step 9

Enter a value based on the recommendations in Table 4-2, and click Next.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-13

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Configuring a VMware ESX or ESXi Server

Figure 4-10

Memory Configuration Dialog Box

The Network Interface Card (NIC) Configuration dialog box appears (see Figure 4-11). Step 10

Choose a NIC and adapter and click Next. Note

We recommend that you choose the E1000 adapter. Cisco ISE, Release 1.2, supports only the E1000 and VMXNET3 adapters. It does not support any other virtual NIC drivers.

Figure 4-11

NIC Configuration Dialog Box

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-14

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Configuring a VMware ESX or ESXi Server

The SCSI controller dialog box appears. Step 11

Choose LSI Logic Parallel as the SCSI controller and click Next. The Select a Disk dialog box appears (see Figure 4-12).

Step 12

Choose Create a new virtual disk and click Next. Figure 4-12

Select a Disk

The Virtual Disk Size and Provisioning Policy dialog box appears. Step 13

In the Disk Provisioning dialog box, click the Thick Provisioning Lazy Zeroed radio button. Click Next to continue. (See Figure 4-13.) If you are using an earlier version of VMware client, uncheck the following options:

Note

a.

Uncheck the Allocate and commit space on demand (Thin Provisioning) check box.

b.

Uncheck the Support clustering features such as Fault Tolerance check box.

When selecting the Thick Provisioned Lazy Zeroed option, the virtual disk is allocated all of its provisioned space and immediately made accessible to the virtual machine. A lazy zeroed disk is not zeroed up front, which makes the provisioning very fast. However, there is an added latency on first write because each block is zeroed out before it is written to for the first time. We recommend the Thick Provisioned Eager Zeroed (Recommended for I/O intensive workloads) option when deploying an I/O intensive application on VMFS. The virtual disk is allocated all of its provisioned space and the entire VMDK file is zeroed out before allowing the virtual machine access. This means that the VMDK file will take longer to become accessible to the virtual machine, but will not incur the additional latency of zeroing on first write.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-15

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Configuring a VMware ESX or ESXi Server

Figure 4-13

Disk Provisioning Dialog Box

The Advanced Options dialog box appears. Step 14

Choose the advanced options, and click Next. The Ready to Complete New Virtual Machine dialog box appears (see Figure 4-14).

Step 15

Verify the configuration details, such as Name, Guest OS, CPUs, Memory, and Disk Size of the newly created VMware system. You must see the following values: •

Guest OS—Red Hat Enterprise Linux 5 (64-bit)



CPUs—4



Memory—4 GB or 4096 MB



Disk Size—200 GB to 2 TB based on the recommendations for VMware disk space

For the Cisco ISE installation to be successful on a virtual machine, ensure that you adhere to the recommendations given in this document.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-16

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Preparing a VMware System for Cisco ISE Software Installation

Figure 4-14

Step 16

Ready to Complete Dialog Box

Click Finish. The VMware system is now installed.

To activate the newly created VMware system, right-click VM in the left pane of your VMware client user interface and choose Power > Power On.

Preparing a VMware System for Cisco ISE Software Installation After configuring the VMware system, you are ready to install the Cisco ISE software. To install the Cisco ISE software from a DVD, you need to configure the VMware system to boot from it. This requires the VMware system to be configured with a virtual DVD drive. You can perform this installation by using different methods that are dependent upon your network environment. See “Configuring a VMware System to Boot From a Cisco ISE Software DVD” to configure the VMware system by using the DVD drive of a VMware ESX server host. Note

You must download the Cisco ISE 1.2 ISO, burn the ISO image on a DVD, and use it to install Cisco ISE 1.2 on the virtual machine.

Configuring a VMware System to Boot From a Cisco ISE Software DVD This section describes how to configure a VMware system to boot from the Cisco ISE software DVD by using the DVD drive of the VMware ESX server host.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-17

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Preparing a VMware System for Cisco ISE Software Installation

Step 1

In the VMware client, highlight the newly created VMware system and choose Edit Virtual Machine Settings. The Virtual Machine Properties window appears. Figure 4-15 displays the properties of a VMware system that is created. Figure 4-15

Step 2

Virtual Machine Properties Dialog Box

In the Virtual Machine Properties dialog box, choose CD/DVD Drive 1. The CD/DVD Drive1 properties dialog box appears.

Step 3

Click the Host Device radio button and choose the DVD host device from the drop-down list.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-18

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Installing Cisco ISE Software on a VMware System

Figure 4-16

Step 4

Virtual Machine Properties - Host Device Option

Choose the Connect at Power On option and click OK to save your settings. You can now use the DVD drive of the VMware ESX server to install the Cisco ISE software.

After you complete this task, click the Console tab in the VMware client user interface, right-click VM in the left pane, choose Power, and choose Reset to restart the VMware system.

Installing Cisco ISE Software on a VMware System Step 1

Log in to the VMware client.

Step 2

Ensure that the Coordinated Universal Time (UTC) is set in BIOS: a.

If the VMware system is turned on, turn the system off.

b.

Turn on the VMware system.

c.

Press F1 to enter the BIOS Setup mode.

d.

Using the arrow keys, navigate to the Date and Time field and press Enter.

e.

Enter the UTC/Greenwich Mean Time (GMT) time zone.

Note

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps.

f.

Press Esc to exit to the main BIOS menu.

g.

Press Esc to exit from the BIOS Setup mode.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-19

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Installing Cisco ISE Software on a VMware System

Note

Step 3

After installation, if you do not install a permanent license, Cisco ISE automatically installs a 90-day evaluation license that supports a maximum of 100 endpoints.

Insert the Cisco ISE software DVD into the VMware ESX host CD/DVD drive and turn on the virtual machine. Note

Download the Cisco ISE, Release 1.2, software from the Cisco Software Download Site at http://www.cisco.com/en/US/products/ps11640/index.html and burn it on a DVD. You will be required to provide your Cisco.com credentials.

When the DVD boots, the console displays: Welcome to Cisco ISE To boot from the hard disk press Available boot options: [1] Cisco Identity Services Engine Installation (Monitor/Keyboard) [2] Cisco Identity Services Engine Installation (Serial Console) [3] Reset Administrator Password (Keyboard/Monitor) [4] Reset Administrator Password (Serial Console) Boot from hard disk Please enter boot option and press . boot: 1

You can choose either the monitor and keyboard port, or the console port to perform the initial setup. Step 4

At the system prompt, enter 1 to choose a monitor and keyboard port or 2 to choose a console port and press Enter. The installer starts the installation of the Cisco ISE software on the VMware system.

Note

Allow 20 minutes for the installation process to complete. When the installation process finishes, the virtual machine reboots automatically.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-20

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Connecting to a Cisco ISE VMware Server Using the Serial Console

When the VM reboots, the console displays: Type 'setup' to configure your appliance localhost:

Step 5

At the system prompt, type setup and press Enter. The Setup Wizard appears and guides you through the initial configuration. For more information about the setup process, see Cisco ISE Setup Program Parameters, page 3-7.

Connecting to a Cisco ISE VMware Server Using the Serial Console To connect to the Cisco ISE VMWare server using the serial console, perform the following steps: Step 1

Power down the particular VMware server (for example ISE-120).

Step 2

Right-click the VMware server and choose Edit.

Step 3

Click Add on the Hardware tab (see Figure 4-15).

Step 4

Choose Serial Port and click Next (see Figure 4-17). Figure 4-17

Step 5

Add Hardware - Device Type

In the Serial Port Output area, click the Use physical serial port on the host or the Connect via Network radio button and click Next (see Figure 4-18).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-21

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Connecting to a Cisco ISE VMware Server Using the Serial Console

Figure 4-18

Add Hardware - Serial Port Type

a.

If you choose the Connect via Network option, you must open the firewall ports over the ESX server.

b.

If you select the Use physical serial port on the host, choose the port. You may choose one of the following two options:



/dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1).



/dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-22

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Connecting to a Cisco ISE VMware Server Using the Serial Console

Step 6

Click Next (see Figure 4-19). Figure 4-19

Step 7

Select a Physical Serial Port

In the Device Status area, check the appropriate check box. The default is Connected (see Figure 4-20). Figure 4-20

Hardware - Device Status

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-23

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Cloning a Cisco ISE Virtual Machine

Step 8

Click OK to connect to the Cisco ISE VMware server.

Cloning a Cisco ISE Virtual Machine You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually. You can also clone a Cisco ISE VM using a template. See Cloning a Cisco ISE Virtual Machine Using a Template, page 4-26 for more information. Before You Begin •

Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.



Ensure that you change the IP Address and Hostname of the cloned machine before you power it on and connect it to the network.

Step 1

Log in to the ESXi server as a user with administrative privileges (root user).

Step 2

Right-click the Cisco ISE VM you want to clone, and click Clone (see Figure 4-21). Figure 4-21

Step 3

Cloning a Cisco ISE Virtual Machine

Enter a name for the new machine that you are creating in the Name and Location dialog box and click Next. This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your reference.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-24

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

Step 4

Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next.

Step 5

Select a datastore for the new Cisco ISE VM that you are creating and click Next. This datastore could be the local datastore on the ESX or ESXi server or a remote storage. See Table 4-1 on page 4-2 for supported storage types. Ensure that the datastore has enough disk space as described in Table 4-3 on page 4-4.

Step 6

Click the Same format as source radio button in the Disk Format dialog box and click Next. This option copies the same format that is used in the Cisco ISE VM that you are cloning this new machine from.

Step 7

Click the Do not customize radio button in the Guest Customization dialog box and click Next. The Ready to Complete dialog box appears (see Figure 4-22) Figure 4-22

Step 8

Ready to Clone Dialog

Click Finish.

What To Do Next •

Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-27



Connecting a Cloned Cisco Virtual Machine to the Network, page 4-29

Related Topics •

Cloning a Cisco ISE Virtual Machine Using a Template, page 4-26

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-25

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Cloning a Cisco ISE Virtual Machine

Cloning a Cisco ISE Virtual Machine Using a Template If you are using vCenter, then you can use a VMware template to clone a Cisco ISE virtual machine (VM). You can clone the Cisco ISE node to a template and use that template to create multiple new Cisco ISE nodes. Cloning a virtual machine using a template is a two-step process: 1.

Creating a Virtual Machine Template, page 4-26

2.

Deploying a Virtual Machine Template, page 4-26

Creating a Virtual Machine Template Before You Begin •

Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.



We recommend that you create a template from a Cisco ISE, Release 1.2, VM that you have just installed and not run the setup program on. You can then run the setup program on each of the individual Cisco ISE nodes that you have created and configure IP address and hostnames individually.

Step 1

Log in to the ESXi server as a user with administrative privileges (root user).

Step 2

Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.

Step 3

Enter a name for the template, choose a location to save the template in the Name and Location dialog box, and click Next.

Step 4

Choose the ESX host that you want to store the template on and click Next.

Step 5

Choose the datastore that you want to use to store the template and click Next. Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more details.

Step 6

Click the Same format as source radio button in the Disk Format dialog box and click Next. The Ready to Complete dialog box appears.

Step 7

Click Finish.

Deploying a Virtual Machine Template After you create a virtual machine template, you can deploy it on other virtual machines (VMs). Step 1

Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from this template.

Step 2

Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog box, and click Next.

Step 3

Choose the ESX host where you want to store the new Cisco ISE node and click Next.

Step 4

Choose the datastore that you want to use for the new Cisco ISE node and click Next. Ensure that this datastore has the required amount of disk space. See Table 4-3 on page 4-4 for more details.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-26

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

Step 5

Click the Same format as source radio button in the Disk Format dialog box and click Next.

Step 6

Click the Do not customize radio button in the Guest Customization dialog box. The Ready to Complete dialog box appears.

Step 7

Check the Edit Virtual Hardware check box and click Continue. The Virtual Machine Properties page appears.

Step 8

Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click OK.

Step 9

Click Finish. You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the network.

What To Do Next •

Changing the IP Address and Hostname of a Cloned Virtual Machine, page 4-27



Connecting a Cloned Cisco Virtual Machine to the Network, page 4-29

Related Topics •

Cloning a Cisco ISE Virtual Machine Using a Template, page 4-26

Changing the IP Address and Hostname of a Cloned Virtual Machine After you clone a Cisco ISE virtual machine (VM), you have to power it on and change the IP address and hostname. You cannot use “localhost” as the hostname for a node. Before You Begin •

Ensure that the Cisco ISE node is in the standalone state.



Ensure that the network adapter on the newly cloned Cisco ISE VM is not connected when you power on the machine. Uncheck the Connected and Connect at power on check boxes. See Figure 4-23. Otherwise, if this node comes up, it will have the same IP address as the source machine from which it was cloned.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-27

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Cloning a Cisco ISE Virtual Machine

Figure 4-23

Disconnecting the Network Adapter



Ensure that you have the IP address and hostname that you are going to configure for the newly cloned VM as soon as you power on the machine. This IP address and hostname entry should be in the DNS server.



Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname.

Step 1

Right-click the newly cloned Cisco ISE VM and choose Power > Power On.

Step 2

Select the newly cloned Cisco ISE VM and click the Console tab.

Step 3

Enter the following commands on the Cisco ISE CLI: configure terminal hostname hostname hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted.

Step 4

Enter the following commands: interface gigabit 0 ip address ip_address netmask ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services.

Step 5

Enter Y to restart Cisco ISE services.

Related Topics

Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2, for the ip address and hostname commands.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-28

OL-27044-01

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine Cloning a Cisco ISE Virtual Machine

Connecting a Cloned Cisco Virtual Machine to the Network After you power on and change the ip address and hostname, you must connect the Cisco ISE node to the network. Step 1

Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.

Step 2

Click Network adapter in the Virtual Machine Properties dialog box.

Step 3

In the Device Status area, check the Connected and Connect at power on check boxes.

Step 4

Click OK.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

4-29

Chapter 4

Installing Release 1.2 Software on a VMware Virtual Machine

Cloning a Cisco ISE Virtual Machine

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

4-30

OL-27044-01

CHAPTER

5

Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Appliances This appendix describes the process for performing an initial (or fresh) installation of the Cisco ISE, Release 1.2, software from a DVD on the following supported Cisco ISE-3300, Cisco Secure ACS, and Cisco NAC appliance platforms:

Note



Cisco ISE-3315



Cisco ISE-3355



Cisco ISE-3395



Cisco Secure ACS-1121



Cisco NAC-3315



Cisco NAC-3355



Cisco NAC-3395

Download the Cisco ISE, Release 1.2, ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances. Installing the software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because the underlying hardware on which the Cisco ISE software will be installed is the same physical device type.

Note



Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliances).



Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395 appliances, respectively).

For specific details about the Cisco ISE 3300 series hardware platforms, see the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

5-1

Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE, Release 1.2, Software from a DVD

This appendix describes the following procedures:

Note



Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2—Provides instructions for installing the Cisco ISE, Release 1.2, software using a DVD.



Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance, page 5-3—Provides instructions for installing the Cisco ISE software with a DVD, configuring the appliance using the Setup program, and verifying the configuration process.



Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance, page 5-3—Provides instructions for installing the Cisco ISE software with a DVD, configuring the appliance using the Setup program, and verifying the configuration process.



Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance, page 5-4—Provides instructions for installing the Cisco ISE software with a DVD, including how to reset the RAID configuration on the Cisco NAC appliance before you complete the reimage process.

To reuse a Cisco Secure ACS or Cisco NAC appliance as a Cisco ISE, Release 1.2 appliance, reimage the Cisco Secure ACS or Cisco NAC appliance, install the Cisco ISE software, and use the Setup program to configure the appliance.

Installing Cisco ISE, Release 1.2, Software from a DVD Before You Begin •

Download the Cisco ISE 1.2, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.



Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before you run the setup program.

Step 1

Connect a keyboard and a VGA monitor to the appliance.

Step 2

Ensure that a power cord is connected to the appliance, insert the DVD in the appliance CD/DVD drive, and turn on the appliance. The console displays the boot options.

Step 3

At the boot prompt, enter 1 and press Enter.

Step 4

At the prompt, type setup to start the setup program.

Step 5

Enter the values for the setup program parameters. After the Cisco ISE or IPN software is configured, the system reboots automatically. To log back in to the CLI, you must enter the CLI-admin user credentials that you configured during setup.

What To Do Next •

If you installed the IPN ISO, go to Configuring Certificates for Inline Posture Nodes, page E-34.



If you installed the Cisco ISE, Release 1.2 ISO image, after you log in to the Cisco ISE CLI shell, you can run the show application status ise CLI command to check the status of the Cisco ISE application processes.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

5-2

OL-27044-01

Chapter 5

Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance

Installing Cisco ISE Software on a Reimaged Cisco ISE-3300 Series Appliance This section provides the procedure for reimaging an existing Cisco ISE-3300 Series appliance as a Cisco ISE 1.2 appliance. Before You Begin •

Download the Cisco ISE, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.



Review the information in Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6.



Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before you run the setup program.

Step 1

If the Cisco ISE appliance is on, turn it off.

Step 2

Turn on the Cisco ISE appliance.

Step 3

Press F1 to enter the BIOS setup mode.

Step 4

Use the arrow keys to navigate to the Date and Time field and press Enter.

Step 5

Set the time to the UTC/GMT time zone. Note

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps.

Step 6

Press Esc to exit to main BIOS menu.

Step 7

Press Esc to exit from the BIOS setup mode.

Step 8

Perform the instructions described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.

Step 9

Perform the instructions described in Setup Process Verification, page 3-15.

Installing Cisco ISE Software on a Reimaged Cisco Secure ACS Appliance This section provides the procedure for reimaging an existing Cisco Secure ACS appliance as a Cisco ISE, Release 1.2, appliance. Before You Begin •

Download the Cisco ISE, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

5-3

Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance



Review the information in Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6.



Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before you run the setup program.

Step 1

If the Cisco Secure ACS appliance is on, turn it off.

Step 2

Turn on the Cisco Secure ACS appliance.

Step 3

Press F1 to enter the BIOS setup mode.

Step 4

Use the arrow keys to navigate to the Date and Time field and press Enter.

Step 5

Set the time for your appliance to the UTC/GMT time zone. Note

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps.

Step 6

Press Esc to exit to main BIOS menu.

Step 7

Press Esc to exit from the BIOS setup mode.

Step 8

Perform the instructions described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.

Step 9

Perform the instructions described in Setup Process Verification, page 3-15.

Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance This section provides the procedure for reimaging an existing Cisco NAC appliance as a Cisco ISE 1.2 appliance. Before You Begin •

Download the Cisco ISE 1.2, Release 1.2, or Inline Posture node ISO image, burn the ISO image on a DVD, and use it to install Release 1.2 on the Cisco ISE-3300 series, and legacy Cisco NAC and Cisco Secure ACS appliances.



Review the information in Prerequisites for Configuring a Cisco SNS-3400 Series Appliance, page 3-6.



Review the Cisco ISE Setup Program Parameters, page 3-7 and have this information ready before you run the setup program.

Step 1

If the Cisco NAC appliance is on, turn it off.

Step 2

Turn on the Cisco NAC appliance.

Step 3

Press F1 to enter the BIOS setup mode.

Step 4

Using the arrow keys, navigate to the Date and Time field and press Enter.

Step 5

Set the time for your appliance to the UTC/GMT time zone.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

5-4

OL-27044-01

Chapter 5

Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance

Note

We recommend that you set all Cisco ISE nodes to the UTC time zone. This time zone setting ensures that the reports and logs from the various nodes in a deployment are always in sync with regard to the time stamps.

Step 6

Press Esc to exit to main BIOS menu.

Step 7

Press Esc to exit from the BIOS setup mode. Note

If the Cisco ISE DVD installation process returns a message indicating that “The installer requires at least 600 GB disk space for this appliance type,” you may need to reset the RAID settings on the appliance to facilitate installation as described in Resetting the Existing RAID Configuration on a Cisco NAC Appliance.

Step 8

Perform the instructions that are described in Installing Cisco ISE, Release 1.2, Software from a DVD, page 5-2.

Step 9

Perform the instructions that are described in Setup Process Verification, page 3-15.

Resetting the Existing RAID Configuration on a Cisco NAC Appliance It may be necessary to reset the RAID settings on your NAC appliance to facilitate Cisco ISE 1.2 installation. Step 1

Reboot the Cisco NAC appliance with the Cisco ISE Software DVD.

Step 2

When you see the RAID controller version information appear in the CLI, press Ctrl-C. The RAID controller version information appears, displaying a label like LSI Corporation MPT SAS BIOS, and the LSI Corp Config Utility becomes active.

Step 3

Press Enter to specify the default controller. (The highlighted controller name should read something similar to SR-BR10i.) A screen containing the Cisco NAC appliance adapter information appears.

Step 4

Use the arrow keys to navigate to “RAID properties” and press Enter.

Step 5

Use the arrow keys to navigate to “Manage Array” and press Enter.

Step 6

Use the arrow keys to navigate to “Delete Array” and press Enter.

Step 7

Enter Y to confirm that you want to delete the existing RAID array.

Step 8

Press Esc twice to exit the RAID configuration utility. The system prompts you with an Exit the Configuration Utility and Reboot? prompt.

Step 9

Press Enter. The Cisco NAC appliance reboots. As long as the Cisco ISE Software DVD is still inserted, the appliance automatically boots to the install menu.

Step 10

Press 1 to begin the Cisco ISE, Release 1.2, installation.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

5-5

Chapter 5 Installing Release 1.2 Software on Cisco ISE 3300 Series, Cisco NAC, and Cisco Secure ACS Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

5-6

OL-27044-01

CHAPTER

6

Managing Administrator Accounts This chapter describes the two types of administrator accounts in Cisco ISE, their privileges, and how to create these accounts. This chapter contains the following topics: •

CLI-Admin and Web-Based Admin User Right Differences, page 6-1



Tasks Performed by CLI-Admin and Web-Based Admin Users, page 6-1



Tasks Performed Only by the CLI-Admin User, page 6-2



Creating CLI Admin Users, page 6-2



Creating Web-Based Admin Users, page 6-2

CLI-Admin and Web-Based Admin User Right Differences The username and password that you configure by using the Cisco ISE setup program are intended to be used for administrative access to the Cisco ISE CLI and the Cisco ISE web interface. The administrator that has access to the Cisco ISE CLI is called the CLI-admin user. By default, the username for the CLI-admin user is admin and the password is user-defined during the setup process. There is no default password. You can initially access the Cisco ISE web interface by using the CLI-admin user’s username and password that you defined during the setup process. There is no default username and password for a web-based admin. The CLI-admin user is copied to the Cisco ISE web-based admin user database. Only the first CLI-admin user is copied as the web-based admin user. You should keep the CLI- and web-based admin user stores synchronized, so that you can use the same username and password for both admin roles. The Cisco ISE CLI-admin user has different rights and capabilities than the Cisco ISE web-based admin user and can perform other administrative tasks.

Tasks Performed by CLI-Admin and Web-Based Admin Users •

Back up the Cisco ISE application data.



Display any system, application, or diagnostic logs on the Cisco ISE appliance.



Apply Cisco ISE software patches, maintenance releases, and upgrades.



Set the NTP server configuration.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

6-1

Chapter 6

Managing Administrator Accounts

Tasks Performed Only by the CLI-Admin User

Tasks Performed Only by the CLI-Admin User

Note



Start and stop the Cisco ISE application software.



Reload or shut down the Cisco ISE appliance.



Reset the web-based admin user in case of a lockout. For additional details, see Resetting a Password Due to Administrator Lockout, page 7-9.

Web-based admin users that are created by using the Cisco ISE user interface cannot automatically log in to the Cisco ISE CLI. Only CLI-admin users can access the Cisco ISE CLI. Refer to Accessing Cisco ISE Using a Web Browser, page 7-1 for information on the supported browsers.

Creating CLI Admin Users Cisco ISE allows you to create additional CLI-admin user accounts other than the one you created during the setup process. To protect the CLI-admin user credentials, create the minimum number of CLI-admin users needed to access the Cisco ISE CLI. Step 1

Log in by using the CLI-admin username and password that you created during the setup process.

Step 2

Enter the Configuration mode.

Step 3

Enter the username command.

Note

For details about the username command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.2.

Creating Web-Based Admin Users For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup. You can add web-based admin users through the user interface itself. See the “Creating a New Cisco ISE Administrator” section of the Cisco Identity Services Engine User Guide, Release 1.2 for additional details.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

6-2

OL-27044-01

CHAPTER

7

Performing Post-Installation Tasks This chapter describes several tasks that you must perform after successfully completing the installation and configuration of the Cisco Identity Services Engine (ISE), Release 1.2, software. This chapter contains information about the following topics: •

Accessing Cisco ISE Using a Web Browser, page 7-1



Verifying a Cisco ISE Configuration, page 7-4



Verifying the Installation of VMware Tools, page 7-6



Resetting the Administrator Password, page 7-7



Configuring the Cisco ISE System, page 7-10



Enabling System Diagnostic Reports in Cisco ISE, page 7-10

Accessing Cisco ISE Using a Web Browser Cisco SNS-3400 series appliances support a web interface using the following HTTPS-enabled browsers: •

Mozilla Firefox version 3.6.x and above



Microsoft Internet Explorer 8.x and above

Note



The Cisco ISE user interface does not support using the Microsoft IE8 browser in IE7 compatibility mode (Microsoft IE8 is supported in IE8 mode only).

Apple Safari 4.x and above

Adobe Flash Player 11.2.0.0 or above must be installed on the system running the client browser. This section provides information about the following topics: •

Logging In to the Cisco ISE Web-Based Interface, page 7-2



Logging Out of the Cisco ISE Web-Based Interface, page 7-3

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

7-1

Chapter 7

Performing Post-Installation Tasks

Accessing Cisco ISE Using a Web Browser

Logging In to the Cisco ISE Web-Based Interface When you log in to the Cisco ISE web-based interface for the first time, you will be using the preinstalled Evaluation license. You must use only the supported HTTPS-enabled browsers listed in the previous section. After you have installed Cisco ISE as described in this guide, you can log in to the Cisco ISE web-based interface. Step 1

After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.

Step 2

In the Address field, enter the IP address (or hostname) of the Cisco ISE appliance by using the following format and press Enter. https:///admin/

For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page.

Step 3

Enter a username and password that you defined during setup.

Step 4

Click Login.

Note

To recover or reset the Cisco ISE CLI-admin username or password, see the Resetting the Administrator Password, page 7-7.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

7-2

OL-27044-01

Chapter 7

Performing Post-Installation Tasks Installing a License

Tip

The minimum required screen resolution to view the Cisco ISE GUI is 1280 x 800 pixels. CLI admin and web-based admin username and password values are not the same. when logging into the Cisco ISE. For more information about the differences between them, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1. Note

Note

The license page only appears the first time that you log in to Cisco ISE after the evaluation license has expired.

We recommend that you use the Cisco ISE user interface to periodically reset your administrator login password. See the Cisco Identity Services Engine User Guide, Release 1.2 for more information.

Administrator Lockout Following Failed Login Attempts If you enter an incorrect password for your specified administrator user ID enough times, the Cisco ISE user interface “locks you out” of the system. Cisco ISE adds a log entry in the Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report, and suspends the credentials for that administrator ID until you reset the password associated with that administrator ID, as described in Resetting a Password Due to Administrator Lockout, page 7-9. The number of failed attempts required to disable the administrator account is configurable according to the guidelines that are described in the “Managing Administrators and Admin Access Policies” chapter of the Cisco Identity Services Engine User Guide, Release 1.2. After an administrator user account gets locked out, an email is sent to the associated admin user.

Logging Out of the Cisco ISE Web-Based Interface To log out of the Cisco ISE web-based interface, click Log Out on the Cisco ISE main window toolbar. This ends your administrative session and logs you out. Caution

For security reasons, we recommend that you log out when you complete your administrative session. If you do not log out, the Cisco ISE web-based web interface logs you out after 30 minutes of inactivity, and does not save any unsubmitted configuration data. For more information on using the Cisco ISE web-based web interface, see the Cisco Identity Services Engine User Guide, Release 1.2.

Installing a License Refer to Appendix D, “Cisco ISE Licenses” for information on licenses.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

7-3

Chapter 7

Performing Post-Installation Tasks

Installing Certificates

Installing Certificates Refer to Appendix E, “Certificate Management in Cisco ISE” for information on certificates.

Verifying a Cisco ISE Configuration This section provides two methods that each use a different set of username and password credentials for verifying Cisco ISE configuration:

Note



Verifying a Configuration Using a Web Browser, page 7-4



Verifying a Configuration Using the CLI, page 7-5

For first-time web-based access to Cisco ISE system, the administrator username and password is the same as the CLI-based access that you configured during setup. For CLI-based access to a Cisco ISE system, the administrator username by default is admin and the administrator password (is user-defined because there is no default). To better understand the differences between a CLI-admin user and a web-based admin user, see CLI-Admin and Web-Based Admin User Right Differences, page 6-1.

Verifying a Configuration Using a Web Browser To verify that you successfully configured your Cisco SNS-3400 Series appliance, complete the following steps using a web browser: Step 1

After the Cisco ISE appliance reboot has completed, launch one of the supported web browsers.

Step 2

In the Address field, enter the IP address (or host name) of the Cisco ISE appliance using the following format and press Enter. https:///admin/

For example, entering https://10.10.10.10/admin/ displays the Cisco ISE Login page. Step 3

In the Cisco ISE Login page, enter the username and password that you have defined during setup and click Login. The Cisco ISE dashboard appears.

Note

We recommend that you use the Cisco ISE user interface to periodically reset the administrator password. To reset the administrator password, see Cisco Identity Services Engine User Guide, Release 1.2 for details.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

7-4

OL-27044-01

Chapter 7

Performing Post-Installation Tasks Verifying a Cisco ISE Configuration

Verifying a Configuration Using the CLI To verify that you successfully configured your Cisco ISE appliance, use the Cisco CLI and complete the following steps: Step 1

After the Cisco ISE appliance reboot has completed, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.

Step 2

In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open.

Step 3

At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter.

Step 4

At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter.

Step 5

At the system prompt, enter show application version ise and press Enter. The console displays the following screen.

Note Step 6

The Version field lists the currently installed version of Cisco ISE software. To check the status of the Cisco ISE processes, enter show application status ise and press Enter. The console displays the following screen.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

7-5

Chapter 7

Performing Post-Installation Tasks

Verifying the Installation of VMware Tools

Note

Step 7

To get the latest Cisco ISE patches and keep Cisco ISE up-to-date, visit the following web site: http://www.cisco.com/public/sw-center/index.shtml To check the Cisco Application Deployment Engine, Release 2.0.5, operating system (ADE-OS) version, enter show version and press Enter. The console displays output similar to the following: Cisco Application Deployment Engine OS Release: 2.0 ADE-OS Build Version: 2.0.5.083 ADE-OS System Architecture: i386

Verifying the Installation of VMware Tools You can verify the Installation of the VMware tools in the following two ways: •

Using the Summary Tab in the vSphere Client



Using the CLI

Using the Summary Tab in the vSphere Client

Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware Tools field should be OK. (See Figure 7-1.) Figure 7-1

Verifying VMware Tools in the vSphere Client

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

7-6

OL-27044-01

Chapter 7

Performing Post-Installation Tasks Resetting the Administrator Password

Using the CLI

You can also verify if the VMware tools are installed using the show inventory command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware Virtual Ethernet driver will be listed in the Driver Descr field. vm36/admin# show inventory

NAME: "ISE-VM-K9 PID: ISE-VM-K9

chassis", DESCR: "ISE-VM-K9

chassis"

, VID: V01 , SN: 8JDCBLIDLJA

Total RAM Memory: 4016564 kB CPU Core Count: 1 CPU 0: Model Info: Intel(R) Xeon(R) CPU

E5504

@ 2.00GHz

Hard Disk Count(*): 1 Disk 0: Device Name: /dev/sda Disk 0: Capacity: 64.40 GB Disk 0: Geometry: 255 heads 63 sectors/track 7832 cylinders NIC Count: 1 NIC 0: Device Name: eth0 NIC 0: HW Address: 00:0C:29:BA:C7:82 NIC 0: Driver Descr: VMware Virtual Ethernet driver

(*) Hard Disk Count may be Logical. vm36/admin#

Upgrading VMware Tools The Cisco ISE ISO image (regular, upgrade, or patch) contains the supported VMware tools. Upgrading VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE (regular, upgrade, or patch release).

Resetting the Administrator Password There are two ways to reset the Cisco ISE administrator password: •

Resetting a Lost, Forgotten, or Compromised Password, page 7-8—Use this procedure if no one is able to log in to the Cisco ISE system because the administrator password has been lost, forgotten, or compromised.



Resetting a Password Due to Administrator Lockout, page 7-9—Use this procedure if the administrator account is locked due to too many failed login attempts..

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

7-7

Chapter 7

Performing Post-Installation Tasks

Resetting the Administrator Password

Resetting a Lost, Forgotten, or Compromised Password If no one is able to log in to the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, you can use the Cisco ISE Software DVD to reset the administrator password. Before You Begin

Make sure you understand the following connection-related conditions that can cause a problem when attempting to use the Cisco ISE Software DVD to start up a Cisco ISE appliance: •

You have a terminal server associated with the serial console connection to the Cisco ISE appliance that is set to exec. Setting it to no exec allows you to use a KVM connection and a serial console connection.



You have a keyboard and video monitor (KVM) connection to the Cisco ISE appliance (this can be either a remote KVM or a VMware vSphere client console connection).



You have a serial console connection to the Cisco ISE appliance.

Step 1

Ensure that the Cisco ISE appliance is powered up.

Step 2

Insert the Cisco ISE Software DVD.

Step 3

Reboot the Cisco ISE appliance to boot from the DVD. The console displays the following message (this example shows a Cisco ISE 3355): Welcome to Cisco Identity Services Engine - ISE 3355 To boot from hard disk press Available boot options: [1] Cisco Identity Services Engine Installation (Keyboard/Monitor) [2] Cisco Identity Services Engine Installation (Serial Console) [3] Reset Administrator Password (Keyboard/Monitor) [4] Reset Administrator Password (Serial Console) Boot from hard disk Please enter boot option and press . boot:

Step 4

At the system prompt, enter 3 if you use a keyboard and video monitor connection to the appliance, or enter 4 if you use a local serial console port connection. The console displays a set of parameters.

Step 5

Enter the parameters by using the descriptions that are listed in Table 7-1. Table 7-1

Password Reset Parameters

Parameter Admin username Password Verify password Save change and reboot

Description Enter the number of the administrator whose password you want to reset. Enter a new password. Enter the password again. Enter Y to save.

The console displays:

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

7-8

OL-27044-01

Chapter 7

Performing Post-Installation Tasks Changing the IP Address of a Cisco ISE Appliance

Admin username: [1]:admin [2]:admin2 [3]:admin3 [4]:admin4 Enter number of admin for password recovery:2 Password: Verify password: Save change and reboot? [Y/N]:

See the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 more information.

Resetting a Password Due to Administrator Lockout An administrator can enter an incorrect password enough times to disable the account. The minimum and default number of attempts is five. Note

Step 1

Use this command to reset the administrator user interface password. It does not affect the CLI password of the administrator. Access the direct-console CLI and enter: application reset-passwd ise administrator_ID

Step 2

Specify and confirm a new password that is different from the previous two passwords that were used for this administrator ID: Enter new password: Confirm new password: Password reset successfully

After you successfully reset the administrator password, the credentials are immediately active and you can log in without having to reboot the system. For more details on using the application reset-passwd ise command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.2.

Changing the IP Address of a Cisco ISE Appliance To change the IP address of a Cisco SNS-3400 series appliance, complete the following steps: Before You Begin Ensure that the Cisco ISE node is in a standalone state before you change the IP address. If the node is part of a distributed deployment, deregister the node from the deployment and make it a standalone node. Step 1

Log in to the Cisco ISE CLI.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

7-9

Chapter 7

Performing Post-Installation Tasks

Configuring the Cisco ISE System

Step 2

Enter the following: configure terminal interface GigabitEthernet 0 ip address new_ip_address new_subnet_mask exit

Note

Do not use the no ip address command when you change the Cisco ISE appliance IP address.

Note

All Cisco ISE services have to be restarted after changing the Cisco ISE appliance IP address.

Configuring the Cisco ISE System By using the Cisco ISE web-based user interface menus and options, you can configure the Cisco ISE system to suit your needs. For details on configuring authentication and authorization policies, and other features, menus, and options, see the Cisco Identity Services Engine User Guide, Release 1.2. For details on each of the Cisco ISE operations and other administrative functions, such as monitoring and reporting, see the Cisco Identity Services Engine User Guide, Release 1.2. For the most current information about this release, see the Release Notes for Cisco Identity Service Engine, Release 1.2.

Enabling System Diagnostic Reports in Cisco ISE After installing Cisco ISE the first time or reimaging an appliance, you can choose to enable the system-level diagnostic reports using the Cisco ISE CLI (the logging function that reports on system diagnostics is not enabled in Cisco ISE by default). To enable system diagnostic reports, do the following: Step 1

Log in to the Cisco ISE CLI console using the default administrator user ID and password.

Step 2

Enter the following commands: a.

configure terminal

b.

logging 127.0.0.1:20514

c.

end

d.

write memory

You can configure system diagnostic settings through the Cisco ISE user interface (Administration > System > Logging > Logging Categories > System Diagnostics).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

7-10

OL-27044-01

A P P E NDIX

A

Installing the Cisco SNS-3400 Series Appliance in a Rack This appendix describes the safety guidelines, site requirements, and guidelines that you must observe before installing the Cisco SNS-3400 Series appliances, and also provides instructions on how to rack mount a Cisco SNS-3400 Series appliance, connect all the cables, power up the appliance, and remove or replace the server components. This appendix contains the following sections: •

Unpacking and Inspecting the Server, page A-1



Safety Guidelines, page A-2



Installing a Cisco SNS-3400 Series Appliance in a Rack, page A-4



Connecting and Powering On the Server, page A-7



Checking the LEDs, page A-8



Installing or Replacing Server Components, page A-11

Unpacking and Inspecting the Server This section provides information on how you can prepare your site for safely installing the Cisco SNS-3400 series appliance. Caution

When handling internal server components, wear an ESD strap and handle modules by the carrier edges only.

Tip

Keep the shipping container in case the server requires shipping in the future.

Note

The chassis is thoroughly inspected before shipment. If any damage occurred during transportation or any items are missing, contact your customer service representative immediately. To inspect the shipment, follow these steps:

Step 1

Remove the server from its cardboard container and save all packaging material.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

A-1

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack

Safety Guidelines

Step 2

Compare the shipment to the equipment list provided by your customer service representative and Figure A-1. Verify that you have all items.

Step 3

Check for damage and report any discrepancies or damage to your customer service representative. Have the following information ready: •

Invoice number of shipper (see the packing slip)



Model and serial number of the damaged unit



Description of damage



Effect of damage on the installation

Figure A-1

Shipping Box Contents

1

2

3

4 co ri is e C -S C S

C

U

331685

es

1

Server

3

Documentation

2

Power cord (optional, up to two)

4

KVM cable

Safety Guidelines Note

Warning

Before you install, operate, or service a Cisco SNS-3400 series appliance, review the Regulatory Compliance and Safety Information for Cisco SNS 3400 Series Appliance for important safety information.

IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

A-2

OL-27044-01

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack Safety Guidelines

the end of each warning to locate its translation in the translated safety warnings that accompanied this device.

Statement 1071

Warning

To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of: 40° C (104° F). Statement 1047

Warning

The plug-socket combination must be accessible at all times, because it serves as the main disconnecting device. Statement 1019

Warning

This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than: 250 V, 15 A. Statement 1005

Warning

Installation of the equipment must comply with local and national electrical codes. Statement 1074

When you are installing a server, use the following guidelines:

Caution



Plan your site configuration and prepare the site before installing the server. See the Cisco UCS Site Preparation Guide for the recommended site planning tasks.



Ensure that there is adequate space around the server to allow for servicing the server and for adequate airflow. The airflow in this server is from front to back.



Ensure that the air-conditioning meets the thermal requirements listed in the Appendix B, “Cisco SNS-3400 Series Server Specifications.”



Ensure that the cabinet or rack meets the requirements listed in the “Rack Requirements” section on page A-4.



Ensure that the site power meets the power requirements listed in the Appendix B, “Cisco SNS-3400 Series Server Specifications.” If available, you can use an uninterruptible power supply (UPS) to protect against power failures.

Avoid UPS types that use ferroresonant technology. These UPS types can become unstable with systems such as the Cisco SNS 3400 series appliances, which can have substantial current draw fluctuations from fluctuating data traffic patterns.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

A-3

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack

Installing a Cisco SNS-3400 Series Appliance in a Rack

Installing a Cisco SNS-3400 Series Appliance in a Rack This section describes how to mount the ISE 3400 series appliance on a rack and contains the following topics: •

Rack Requirements, page A-4



Equipment Requirements, page A-4



Slide Rail Adjustment Range, page A-4



Installing the Server In a Rack, page A-4

Rack Requirements The following are the requirements for standard open racks: •

A standard 19-in. (48.3-cm) wide, four-post EIA rack, with mounting posts that conform to English universal hole spacing, per section 1 of ANSI/EIA-310-D-1992.



The rack post holes can be square .38-inch (9.6 mm), round .28-inch (7.1 mm), #12-24 UNC, or #10-32 UNC when you use the supplied slide rails.



The minimum vertical rack space per server must be one RU, equal to 1.75 in. (44.45 mm).

Equipment Requirements The slide rails supplied by Cisco Systems for this server do not require tools for installation. The inner rails (mounting brackets) are preattached to the sides of the server.

Slide Rail Adjustment Range The slide rails for this server have an adjustment range of 24 to 36 inches (610 to 914 mm).

Installing the Server In a Rack This section describes how to install the server in a rack. Warning

To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: This unit should be mounted at the bottom of the rack if it is the only unit in the rack. When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack. If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack. Statement 1006

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

A-4

OL-27044-01

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack Installing a Cisco SNS-3400 Series Appliance in a Rack

To install the slide rails and the server into a rack, follow these steps: Step 1

Open the front securing latch (see Figure A-2). The end of the slide-rail assembly marked “FRONT” has a spring-loaded securing latch that must be open before you can insert the mounting pegs into the rack-post holes. a.

On the rear side of the securing-latch assembly, hold open the clip marked “PULL.”

b.

Slide the spring-loaded securing latch away from the mounting pegs.

c.

Release the clip marked “PULL” to lock the securing latch in the open position.

Figure A-2

Front Securing Latch

1

3

332061

2

Step 2

1

Clip marked “PULL” on rear of assembly

2

Front mounting pegs

3

Spring-loaded securing latch on front of assembly

Install the slide rails on the rack: a.

Position a slide-rail assembly inside the two left-side rack posts (see Figure A-3). Use the “FRONT” and “REAR” markings on the slide-rail assembly to orient the assembly correctly with the front and rear rack posts.

b.

Note

Position the front mounting pegs so that they enter the desired front rack-post holes from the front.

The mounting pegs that protrude through the rack-post holes are designed to fit round or square holes, or smaller #10-32 round holes when the mounting peg is compressed. If your rack has #10-32 rack-post holes, align the mounting pegs with the holes and then compress the spring-loaded pegs to expose the #10-32 inner peg. c.

Expand the length-adjustment bracket until the rear mounting pegs protrude through the desired holes in the rear rack post.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

A-5

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack

Installing a Cisco SNS-3400 Series Appliance in a Rack

Use your finger to hold the rear securing latch open when you insert the rear mounting pegs to their holes. When you release the latch, it wraps around the rack post and secures the slide-rail assembly. Figure A-3

Attaching a Slide-Rail Assembly

1

2

5 3

6

331689

4

Step 3

1

Front-left rack post

4

Length-adjustment bracket

2

Front mounting pegs

5

Rear mounting pegs

3

Slide-rail assembly

6

Rear securing latch

d.

Attach the second slide-rail assembly to the opposite side of the rack. Ensure that the two slide-rail assemblies are level and at the same height with each other.

e.

Pull the inner slide rails on each assembly out toward the rack front until they hit the internal stops and lock in place.

Insert the server into the slide rails: Note

Step 4

The inner rails are preattached to the sides of the server at the factory. You can order replacement inner rails if these are damaged or lost (Cisco PID UCSC-RAIL1-I).

a.

Align the inner rails that are preattached to the server sides with the front ends of the empty slide rails.

b.

Push the server into the slide rails until it stops at the internal stops.

c.

Push in the plastic release clip on each inner rail (labelled PUSH), and then continue pushing the server into the rack until the front latches engage the rack posts.

Attach the (optional) cable management arm (CMA) to the rear of the slide rails: Note

a.

The CMA is designed for mounting on either the right or left slide rails. These instructions describe an installation to the rear of the right slide rails, as viewed from the rear of server.

Slide the plastic clip on the inner CMA arm over the flange on the mounting bracket that attached to the side of the server. See Figure A-4.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

A-6

OL-27044-01

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack Connecting and Powering On the Server

Note

Whether you are mounting the CMA to the left or right slide rails, be sure to orient the engraved “UP” marking so that it is always on the upper side of the CMA. See Figure A-4.

b.

Slide the plastic clip on the outer CMA arm over the flange on the slide rail. See Figure A-4.

c.

Attach the CMA retaining bracket to the left slide rail. Slide the plastic clip on the bracket over the flange on the end of the left slide rail. See Figure A-4.

Figure A-4

Attaching the Cable Management Arm (Rear of Server Shown)

3

1

4

5

Step 5

6

1

Flange on rear of outer left slide rail

5

Inner CMA arm attachment clip

2

CMA retaining bracket

6

“UP” orientation marking

3

Flange on rear of right mounting bracket

7

Outer CMA arm attachment clip

4

Flange on rear of outer right slide rail

331690

7

2

Continue with the “Using CIMC to Configure Release 1.2 on a Cisco SNS-3400 Series Appliance” section on page 3-9.

Connecting and Powering On the Server This section describes how to power on the server and assign an IP address to connect to it. The server is shipped with a default NIC mode called Shared LOM, default NIC redundancy is active-active, and DHCP is enabled. Shared LOM mode enables the two 1-Gb Ethernet ports to access the Cisco Integrated Management Interface (CIMC). If you want to use the 1-Gb Ethernet dedicated management port, or a port on a Cisco UCS P81E Virtual Interface Card (VIC) to access the CIMC, you must first connect to the server and change the NIC mode as described in Step 3 of the following procedure. In that step, you can also change the NIC redundancy and set static IP settings. Use the following procedure to perform the initial setup of the server:

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

A-7

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack

Checking the LEDs

Step 1

Attach a supplied power cord to each power supply in the server and then attach the power cord to a grounded AC power outlet. See the Power Specifications, page B-2 for power specifications. Wait for approximately two minutes to let the server boot in standby power during the first bootup. You can verify the power status by looking at the Power Status LED: •

Off—There is no AC power present in the server.



Amber—The server is in standby power mode. Power is supplied only to the CIMC and some motherboard functions.



Green—The server is in main power mode. Power is supplied to all server components.

Note

Step 2

During bootup, the server beeps once for each USB device that is attached to the server. Even if there are no external USB devices attached, there is a short beep for each virtual USB device such as a virtual floppy drive, CD/DVD drive, keyboard, or mouse. A beep is also emitted if a USB device is hot-plugged or hot-unplugged during BIOS power-on self-test (POST), or while you are accessing the BIOS Setup utility or the EFI shell.

Connect a USB keyboard and VGA monitor by using the supplied KVM cable connected to the KVM connector on the front panel. Note

Alternatively, you can use the VGA and USB ports on the rear panel. However, you cannot use the front panel VGA and the rear panel VGA at the same time. If you are connected to one VGA connector and you then connect a video device to the other connector, the first VGA connector is disabled.

Checking the LEDs When the Cisco SNS-3400 series appliances have been started up and are running, observe the state of the front-panel and rear-panel LEDs. The following topics describe the LED color, its power status, activity, and other important status indicators that are displayed for the Cisco-SNS 3400 series appliance: •

Front Panel LEDs and Buttons, page B-2



Rear Panel LEDs and Buttons, page B-4

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

A-8

OL-27044-01

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack Checking the LEDs

Front Panel LEDs and Buttons Table A-1

Front Panel LED States

LED Name Power button/Power status LED

Identification System status

State •

Off—There is no AC power to the server.



Amber—The server is in standby power mode. Power is supplied only to the CIMC and some motherboard functions.



Green—The server is in main power mode. Power is supplied to all server components.



Off—The Identification LED is not in use.



Blue—The Identification LED is activated.



Green—The server is running in a normal operating condition.



Green, blinking—The server is performing system initialization and memory checks.



Amber, steady—The server is in a degraded operational state, which may be due to one of the following: – Power supply redundancy is lost. – CPUs are mismatched. – At least one CPU is faulty. – At least one DIMM is faulty. – At least one drive in a RAID configuration failed.



Amber, blinking—The server is in a critical fault state, which may be due to one of the following: – Boot failed. – Fatal CPU and/or bus error is detected. – Server is in an over-temperature condition.

Fan status

Temperature status

Power supply status

Network link activity



Green—All fan modules are operating properly.



Amber, steady—One fan module has failed.



Amber, blinking—Critical fault, two or more fan modules have failed.



Green—The server is operating at normal temperature.



Amber, steady—One or more temperature sensors have exceeded a warning threshold.



Amber, blinking—One or more temperature sensors have exceeded a critical threshold.



Green—All power supplies are operating normally.



Amber, steady—One or more power supplies are in a degraded operational state.



Amber, blinking—One or more power supplies are in a critical fault state.



Off—The Ethernet link is idle.



Green—One or more Ethernet LOM ports are link-active, but there is no activity.



Green, blinking—One or more Ethernet LOM ports are link-active, with activity.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

A-9

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack

Checking the LEDs

Table A-1

Front Panel LED States (continued)

LED Name

State

Hard drive fault

Hard drive activity



Off—The hard drive is operating properly.



Amber—The hard drive has failed.



Amber, blinking—The device is rebuilding.



Off—There is no hard drive in the hard drive sled (no access, no fault).



Green—The hard drive is ready.



Green, blinking—The hard drive is reading or writing data.

Rear Panel LEDs and Buttons Table A-2

Rear Panel LED States

LED Name

State

Power supply fault

Power supply AC OK

1-Gb Ethernet dedicated management link speed

1-Gb Ethernet dedicated management link status

1-Gb Ethernet link speed

1-Gb Ethernet link status

Identification



Off—The power supply is operating normally.



Amber, blinking—An event warning threshold has been reached, but the power supply continues to operate.



Amber, solid—A critical fault threshold has been reached, causing the power supply to shut down (for example, a fan failure or an over-temperature condition).



Off—There is no AC power to the power supply.



Green, blinking—AC power OK, DC output not enabled.



Green, solid—AC power OK, DC outputs OK.



Off—link speed is 10 Mbps.



Amber—link speed is 100 Mbps.



Green—link speed is 1 Gbps.



Off—No link is present.



Green—Link is active.



Green, blinking—Traffic is present on the active link.



Off—link speed is 10 Mbps.



Amber—link speed is 100 Mbps.



Green—link speed is 1 Gbps.



Off—No link is present.



Green—Link is active.



Green, blinking—Traffic is present on the active link.



Off—The Identification LED is not in use.



Blue—The Identification LED is activated.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

A-10

OL-27044-01

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack Installing or Replacing Server Components

Installing or Replacing Server Components Refer to the Cisco UCS C220 Server Installation and Service Guide for information on how to install or replace the Cisco SNS 3415 or 3495 appliance components.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

A-11

Appendix A

Installing the Cisco SNS-3400 Series Appliance in a Rack

Installing or Replacing Server Components

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

A-12

OL-27044-01

A P P E NDIX

B

Cisco SNS-3400 Series Server Specifications This appendix lists the technical specifications for the server and includes the following sections: •

Physical Specifications, page B-1



Environmental Specifications, page B-1



Power Specifications, page B-2

Physical Specifications Table B-1 lists the physical specifications for the server. Table B-1

Cisco SNS-3400 Series Server Physical Specifications

Description

Specification

Height

1.7 in. (4.3 cm)

Width

16.9 in. (42.9 cm)

Depth

28.5 in. (72.4 cm)

Weight (fully loaded chassis)

35.6 lb. (16.1 Kg)

Environmental Specifications Table B-2 lists the environmental specifications for the server. Table B-2

Cisco SNS-3400 Series Server Environmental Specifications

Description

Specification

Temperature, operating

41 to 104°F (5 to 40°C) Derate the maximum temperature by 1°C per every 305 meters of altitude above sea level.

Temperature, non-operating

–40 to 149°F (–40 to 65°C)

Humidity (RH), noncondensing

10 to 90 percent

Altitude, operating

0 to 10,000 feet

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

B-1

Appendix B

Cisco SNS-3400 Series Server Specifications

Power Specifications

Table B-2

Cisco SNS-3400 Series Server Environmental Specifications

Description

Specification

Altitude, non-operating

0 to 40,000 feet

Sound power level 5.4 Measure A-weighted per ISO7779 LwAd (Bels) Operation at 73°F (23°C) Sound pressure level 37 Measure A-weighted per ISO7779 LpAm (dBA) Operation at 73°F (23°C)

Power Specifications The power specifications for the two power supply options are listed in the following sections:

Note



450-Watt Power Supply, page B-2



650-Watt Power Supply, page B-2

Do not mix power supply types in the server. Both power supplies must be either 450W or 650W.

450-Watt Power Supply Table B-3 lists the specifications for each 450W power supply (Cisco part number UCSC-PSU-450W). Table B-3

Cisco SNS-3400 Series Server 450-Watt Power Supply Specifications

Description

Specification

AC input voltage range

Low range: 100 VAC to 120 VAC High range: 200 VAC to 240 VAC

AC input frequency

Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)

AC line input current (steady state)

6.0 A peak at 100 VAC 3.0 A peak at 208 VAC

Maximum output power for each power supply

450 Watts

Power supply output voltage

Main power: 12 VDC Standby power: 12 VDC

650-Watt Power Supply Table B-4 lists the specifications for each 650W power supply (Cisco part number UCSC-PSU-650W).

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

B-2

OL-27044-01

Appendix B

Cisco SNS-3400 Series Server Specifications Power Specifications

Table B-4

Cisco SNS-3400 Series Server 650-Watt Power Supply Specifications

Description

Specification

AC input voltage range

90 to 264 VAC (self-ranging, 180 to 264 VAC nominal)

AC input frequency

Range: 47 to 63 Hz (single phase, 50 to 60Hz nominal)

AC line input current (steady state)

7.6 A peak at 100 VAC 3.65 A peak at 208 VAC

Maximum output power for each power supply

650 Watts

Power supply output voltage

Main power: 12 VDC Standby power: 12 VDC

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

B-3

Appendix B

Cisco SNS-3400 Series Server Specifications

Power Specifications

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

B-4

OL-27044-01

A P P E NDIX

C

Cisco SNS-3400 Series Appliance Ports Reference This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices. Table C-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on the corresponding firewall. The ports list provides information that can be useful when configuring a firewall, creating access control lists (ACLs), and configuring services on a Cisco ISE network. •

Cisco ISE management is restricted to Gigabit Ethernet 0.



RADIUS listens on all network interface cards (NICs).



All NICs can be configured with IP addresses.

DNS: tcp-udp/53 NTP: udp/123

HTTPS: tcp/8443

Email/SMS Gateways

MnT

RADIUS Auth: ump/1645,1812 RADIUS Acct: udp/1646,1813 Syslog: udp/20514

SMTP: tcp/25

Logging HTTPS; tcp/443 Syslog: udp/20514, tcp/1468 Secure Syslog: tcp/6514 Oracle DB (Secure JDBC): tcp/2484 JGroups: tcp12001

SMTP: tcp/25

Syslog: udp/20514, tcp/1468 Secure Syslog: tcp/6514 NetFlow: udp/9996

HTTPS: tcp/443 Syslog: udp/20514, tcp/1468 Secure Syslog: tcp/6514

IPN

RADIUS Auth: Audp/1645,1812 RADIUS Acct: udp/1646,1813 RADIUS CoA: dp1700,3799

SSH: tcp/22

Query Attributes PAN

HTTPS: tcp/443 JGroups: tcp12001

Syslog: udp/20514, tcp/1468 Secure Syslog: tcp/6514 SNMP Traps: udp/162

GUI: tcp/80,443 SSH: tcp/22 Sponsor: tcp/8443 SNMP: udp/161 ERS: tcp/9060

Guest: tcp/8443 Discovery: tcp/8443, tcp/8905 Agent Install: tcp/8909 NAC Agent: tcp/8905; udp/8905 PRA/KA: SWISS udp/8905

RADIUS Auth: udp/1645,1812 RADIUS Acct: udp/1646,1813 RADIUS CoA: udp/1700,3799 WebAuth: tcp:443,8443 SNMP: udp/161 SNMP Trap: udp/162 NetFlow: udp/9996 DHCP:udp/67, udp/68 SPAN:tcp/80,8080

LDAP: tcp/389,3268 SMB:tcp/445 KDC:tcp/88 KPASS: tcp/464 SCEP: tcp/80, tcp/443 NTP: udp/123

PIP

Inter-Node Communications Admin(P) - Admin(S): tcp/443, tcp/12001(JGroups) Monitor(P) - Monitor(S): tcp/443 Policy - Policy: udp/45588,45990, tcp/7802 (Node Groups/JGroups)

Cisco.com Perfigo.com

NADs Admin/Sponsor

Endpoint

Inline(P) - Inline(S): udp/694 (Heartbeat)

360294

Update: tcp/443

PSN

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

C-1

Appendix C

Table C-1

Cisco ISE Services and Ports

Cisco ISE Node

Cisco ISE Service

Administration Administration node

Ports on Gigabit Ethernet 0 • • • •

Replication and Synchronization

Monitoring

Cisco SNS-3400 Series Appliance Ports Reference

Ports on Gigabit Ethernet 1

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 3

Cisco ISE management is restricted to Gigabit Ethernet 0.

Cisco ISE management is restricted to Gigabit Ethernet 0.













TCP: 22 (Secure Shell Cisco ISE [SSH] server) management is restricted to Gigabit 1 TCP: 80 (HTTP) Ethernet 0. TCP: 4431 (HTTPS) TCP: 9060 (External RESTful Services (ERS) REST API)

Note

Port 80 is redirected to port 443 (not configurable).

Note

Ports 80 and 443 support Admin web applications and are enabled by default.



TCP: 443 (HTTPS SOAP)



TCP: 12001 Global (JGroups - Data synchronization / Data replication)



UDP: 161 (SNMP Query)

Note

This port is route table dependent.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

C-2

OL-27044-01

Appendix C

Cisco SNS-3400 Series Appliance Ports Reference

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service Logging (Outbound)

Ports on Gigabit Ethernet 0 •

UDP: 20514, TCP: 1468 (Syslog)



TCP: 6514 (Secure Syslog)

Note

External Identity Stores and Resources

Ports on Gigabit Ethernet 1

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 3

Default ports are configurable for external logging.



UDP: 162 (SNMP Traps)—



TCP: 389, 3268, UDP: 389 (LDAP)



TCP: 445 (SMB)



TCP: 88, UDP: 88 (KDC)



TCP: 464 (KPASS)



UDP: 123 (NTP)



TCP: 53, UDP: 53 (DNS)







(Admin user interface authentication) Guest

Guest account expiry email notification: SMTP: TCP/25

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

C-3

Appendix C

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service

Monitoring node

Administration

Replication and Synchronization

Monitoring

Ports on Gigabit Ethernet 0 •

TCP: 22 (SSH server) —



TCP: 801 (HTTP)



TCP: 4431 (HTTPS)



TCP: 443 (HTTPS SOAP)



TCP: 1521 - Oracle DB Listener



TCP: 12001 Global (JGroups - Data synchronization / Data replication)



UDP: 161 (SNMP)

Note

Logging



TCP: 1521 Oracle DB Listener

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 3







TCP: 1521 Oracle DB Listener



TCP: 1521 - Oracle DB Listener

This port is route table dependent.



UDP: 20514, TCP: 1468 (Syslog)



TCP: 6514 (Secure Syslog)

Note

External Resources

Ports on Gigabit Ethernet 1

Cisco SNS-3400 Series Appliance Ports Reference

Default ports are configurable for external logging.



TCP: 25 (SMTP)



UDP: 162 (SNMP Traps)



TCP: 389, 3268, UDP: 389 (LDAP)



TCP: 445 (SMB)



TCP: 88, UDP: 88 (KDC)



TCP: 464 (KPASS)



UDP: 123 (NTP)



TCP: 53, UDP: 53 (DNS)







(Admin user interface authentication)

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

C-4

OL-27044-01

Appendix C

Cisco SNS-3400 Series Appliance Ports Reference

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service

Policy Service node

Administration

Replication and Synchronization

Clustering (Node Group)

Monitoring

Ports on Gigabit Ethernet 0























TCP: 22 (SSH server) —



TCP: 801 (HTTP)



TCP: 4431 (HTTPS)



TCP: 443 (HTTPS SOAP)



TCP: 12001 Global (JGroups - Data synchronization / Data replication)



UDP: 45588, 45590 (Local JGroup)



TCP: 7802 (Local JGroup failure detection)



UDP: 161 (SNMP) This port is route table dependent.



UDP: 20514, TCP: 1468 (Syslog)



TCP: 6514 (Secure Syslog)

Note

Session

Ports on Gigabit Ethernet 3



Note

Logging (Outbound)

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 1

Default ports are configurable for external logging.



UDP: 162 (SNMP Traps)



UDP:1645, 1812 (RADIUS Authentication)



UDP:1646, 1813 (RADIUS Accounting)



UDP: 1700 (RADIUS change of authorization Send)



UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)

Note

UDP port 3799 is not configurable.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

C-5

Appendix C

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service

Policy Service node (continued)

External Identity Stores and Resources

Ports on Gigabit Ethernet 0 •

TCP: 389, 3268, (LDAP)



TCP: 445 (SMB)



TCP: 88 (KDC)



TCP: 464 (KPASS)



UDP: 123 (NTP)



UDP: 53 (DNS)

Cisco SNS-3400 Series Appliance Ports Reference

Ports on Gigabit Ethernet 1

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 3







(Admin user interface authentication and endpoint authentication) Web Portal Services:



HTTPS (Interface must be enabled for service in Cisco ISE.)



TCP: 8000-8999 (Guest Portal and Client Provisioning. Default port is TCP: 8443.)

- Guest/Web Auth



TCP: 8000-8999 (Sponsor Portal. Default port is TCP: 8443.)



TCP: 8000-8999 (My Devices Portal. Default port is TCP: 8443.)



TCP: 8000-8999 (Blacklist Portal. Default port is TCP: 8444.)



TCP: 25 (SMTP Notification)

- Guest Sponsor portal - My Devices portal - Client Provisioning - BlackListing portal

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

C-6

OL-27044-01

Appendix C

Cisco SNS-3400 Series Appliance Ports Reference

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service

Policy Service node (continued)

Posture



TCP: 80 (HTTP) Discovery - Client side

- Discovery



TCP: 8905 (HTTPS) Discovery - Client side

- Provisioning - Assessment/ Heartbeat

Ports on Gigabit Ethernet 0

Note

Ports on Gigabit Ethernet 1

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 3

By default, TCP: 80 is redirected to TCP: 8443. See Web Portal Services: Guest Portal and Client Provisioning.



TCP: 8443, 8905 (HTTPS) Discovery - Policy Service node side



URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning.



Active-X and Java Applet Install including IP refresh, Web Agent install, and launch NAC Agent install—Provisioning: See Web Portal Services: Guest Portal and Client Provisioning



TCP: 8443 Provisioning: NAC Agent Install



UDP: 8905 (SWISS) Provisioning: NAC Agent update notification



TCP: 8905 (HTTPS) Provisioning: NAC Agent and other package/module updates



TCP: 8905 (HTTPS) Assessment: Posture Negotiation and Agent Reports



UDP: 8905 (SWISS) Assessment: PRA/Keep-alive



URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning



Active-X and Java Applet Install (includes the launch of Wizard Install)—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning

- Provisioning



TCP: 8443 Provisioning: Wizard Install from Cisco ISE (Windows and Mac OS)

- SCEP



TCP: 443 Provisioning: Wizard Install from Google Play (Android)



TCP: 8905 Provisioning: Supplicant Provisioning Process



TCP: 80 or TCP: 443 SCEP Proxy to CA (Based on SCEP RA URL config)



URL Redirection—See Web Portal Services: Guest Portal and Client Provisioning

Bring Your Own Device (BYOD) / Network Service Protocol - Redirection

Mobile Device Management (MDM) API Integration



API—Vendor-specific



Agent Install and Device Registration—Vendor-specific

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

C-7

Appendix C

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service

Policy Service node (continued)

Profiling

Ports on Gigabit Ethernet 0 •



TCP: 80, 8080 (HTTP)



NMAP uses ports 0-655352 (outbound).



UDP: 53 (DNS lookup)

Note

TCP: 22 (SSH server) —



TCP: 8443 (HTTPS)

Note

UDP: 1645, 1812 (RADIUS proxy for authentication)



UDP: 1646, 1813 (RADIUS proxy for accounting)



UDP: 1645, 1812 (RADIUS proxy for authentication)



UDP: 1646, 1813 (RADIUS proxy for accounting)



RADIUS CoA: Not Applicable



TCP: 9090 (Redirect)



UDP: 20154 (Syslog)

UDP: 1700, 3799 (RADIUS CoA) UDP port 3799 is not configurable.



TCP: 9090 (Redirect)



UDP: 20154 (Syslog)

Note

Note







TCP: 8443 is used by the Administration node.



Note

Logging



This port is configurable.







This port is route table dependent.

UDP: 162 (SNMP Trap)

Note

Inline Posture



This port is route table dependent.

UDP: 161 (SNMP Query)

Note

Administration

This port is configurable.

UDP: 68 (DHCP SPAN)



Ports on Gigabit Ethernet 3

This port is configurable.





Ports on Gigabit Ethernet 2

UDP: 67 (DHCP)

Note

Inline Posture node

Ports on Gigabit Ethernet 1

UDP: 9996 (NetFlow)

Note •

Cisco SNS-3400 Series Appliance Ports Reference

This port is configurable.

Note

This port is configurable.

Inline Posture node High Availability does not apply to any other Cisco ISE node types.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

C-8

OL-27044-01

Appendix C

Cisco SNS-3400 Series Appliance Ports Reference

Table C-1

Cisco ISE Services and Ports (continued)

Cisco ISE Node

Cisco ISE Service

Inline Posture node (continued)

High Availability —

Ports on Gigabit Ethernet 0

Ports on Gigabit Ethernet 1

Ports on Gigabit Ethernet 2

Ports on Gigabit Ethernet 3



UDP: 694 (Heartbeat)

UDP: 694 (Heartbeat)

1. Because Inline Posture nodes do not support the Administration persona, they will not have access to this port. 2. NMAP OS Scan uses ports 0.65535 to detect endpoint operating system

Ports to be Used for OCSP and CRL For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the ports are dependent on the CA Server or service hosting OCSP/CRL although the Cisco ISE Services and ports table above lists basic ports that are used in Cisco ISE. For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE admin portal expects http-based URL for OCSP services, and so, TCP 80 would be the default. You can also use non-default ports. For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports would naturally be 80, 443, and 389 respectively. The actual port is contingent on the CRL server. For more information, see OCSP Services and Certificate Store Edit Settings

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

C-9

Appendix C

Cisco SNS-3400 Series Appliance Ports Reference

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

C-10

OL-27044-01

A P P E NDIX

D

Cisco ISE Licenses This chapter describes the licensing mechanism and schemes that are available for Cisco ISE and how to add and upgrade licensees. •

Cisco ISE Licensing, page D-1



Obtaining a Cisco ISE License from Cisco.com, page D-3



Adding or Upgrading a License, page D-5



Removing a License, page D-5

Cisco ISE Licensing Cisco ISE licensing provides the ability to manage the application features and access, such as the number of concurrent endpoints that can use Cisco ISE network resources. To help you select the features you want, licensing in Cisco ISE is granular. Cisco offers multiple license packages, such as Base, Plus, and Advanced. Table D-1

Cisco ISE License Packages

License Package

Perpetual or Subscription

Base

Perpetual

Plus

Subscription (1, 3, or 5 years)

ISE Functionality Covered •

Basic network access: AAA, IEEE-802.1X



Guest management



Link encryption (MACSec)



Bring Your Own Device (BYOD)



Profiling



Endpoint Protection Service (EPS)



TrustSec SGT

Notes

Does not include Base services. A Base license is required for each Plus license.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

D-1

Appendix D

Cisco ISE Licenses

Cisco ISE Licensing

Table D-1

Cisco ISE License Packages

License Package Advanced

Perpetual or Subscription

ISE Functionality Covered

Subscription (1, 3, or 5 years)



Bring Your Own Device (BYOD)



Profiling



Endpoint Protection Service (EPS)



TrustSec SGT



Mobile Device Manager (MDM)



Health Compliance and Remediation



Posture

Notes Does not include Base services. A Base license is required for each Advanced license. The Advanced license includes all the functionality of Plus license.

Wireless

Subscription (1, 3, or 5 years)

A Wireless license turns on the functionality of Base and Advanced licenses for wireless LAN deployments.

Cannot coexist on a Cisco Administration node with Base, Plus, or Advanced Licenses.

Wireless Upgrade

Subscription (1, 3, or 5 years)

A Wireless Upgrade license turns on the functionality of Base and Advanced licenses for all wireless and non-wireless client-access methods, including wired and VPN Concentrator access.

You can only install a Wireless Upgrade License on top of an existing Wireless license.

Evaluation

Temporary (90 days)

Full Cisco ISE functionality is provided for 100 endpoints.

Limited use of Cisco ISE product for pre-sale customer evaluations. All Cisco ISE appliances are supplied with an Evaluation license.

All Cisco ISE appliances are supplied with a 90-day Evaluation license. To continue to use Cisco ISE services after the 90-day Evaluation license expires, and to support more than 100 concurrent endpoints on the network, you must obtain and register Base licenses for the number of concurrent users on your system. If you require additional functionality, you will need Plus or Advanced licenses to enable that functionality. After you install the Cisco ISE software and initially configure the appliance as the primary Administration node, you must obtain a license for Cisco ISE and then register that license. Cisco ISE supports licenses with two hardware IDs. You can obtain a license based on the hardware IDs of both the primary and secondary Administration nodes. You register all licenses to the Cisco ISE primary Administration node via the primary and secondary Administration node hardware ID. The primary Administration node then centrally manages all the licenses that are registered for your deployment.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

D-2

OL-27044-01

Appendix D

Cisco ISE Licenses Obtaining a Cisco ISE License from Cisco.com

Note

You always require a Base license. However, you do not need a Plus license in order to have an Advanced license or vice versa. Cisco recommends installing the Base, Plus, and Advanced Licenses at the same time. •

When you install a Base License over a default Evaluation License, the Base License overrides only the base license-related portion of the Evaluation License and keeps the Plus and Advanced License capabilities available for the remainder of the default Evaluation License duration.



You cannot upgrade the Evaluation License to a Plus or Advanced License without first installing the Base License.



When you install a Wireless License over a default Evaluation License, the Wireless License overrides the Evaluation License parameters with the specific duration and user count associated with the Wireless License.

License Count A Cisco ISE user consumes a license during an active session. Once the sessions has ended, ISE releases the license for reuse by another user. The Cisco ISE license is counted as follows: •

A Base, Plus, or Advanced license is consumed based on the feature that is used.



An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.



Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note

Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system.

To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on the network and generate alarms when endpoint counts exceed the licensed amounts: •

80% Info



90% Warning



100% Critical

Obtaining a Cisco ISE License from Cisco.com To continue to use Cisco ISE services after the 90-day Evaluation License expires, and to support more than 100 concurrent endpoints on the network, you must install a Base, Plus, Advanced, or Wireless license package for Cisco ISE. License files are based on a combination of the Cisco ISE hardware ID and Product Authorization Key (PAK). When you purchase Cisco ISE, or before the 90-day license expires, you can research the licensing options on Cisco.com and order the package that is suitable for your deployment of Cisco ISE.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

D-3

Appendix D

Cisco ISE Licenses

Obtaining a Cisco ISE License from Cisco.com

If you have two Administration nodes deployed in a high-availability pair, you must ensure each of them have the same license capabilities and add the licenses while the node is in a standalone or primary state. Within an hour of ordering your license files from Cisco.com, you should receive an e-mail with the Cisco Supplemental End-User License Agreement and a Claim Certificate containing a PAK for each license that you order. After receiving the Claim Certificate, you can log in and access the Cisco Product License Registration website at http://www.cisco.com/go/license and provide the appropriate hardware ID information and PAK to generate your license. You must supply the following specific information to generate your license file: •

Product identifier (PID) of both the primary and secondary Administration nodes



Version identifier (VID)



Serial number (SN)



PAK

See the Cisco Identity Services Engine Licensing Note for more details. The day after you submit your license information in the Cisco Product License Registration website, you will receive an e-mail with your license file as an attachment. Save the license file to a known location on a local machine and use the instructions in Adding or Upgrading a License, page D-5 to add and update any product licenses for Cisco ISE. For detailed information and license part numbers that are available for Cisco ISE, including licensing options for new installations as well as migration from an existing Cisco security product like Cisco Secure Access Control Server, see the Cisco Identity Services Engine Ordering Guidelines at http:// www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html. Related Topics •

Determining Your Hardware ID Using the CLI, page D-4



Determining Your Hardware ID Using the Admin Portal, page D-4

Determining Your Hardware ID Using the CLI Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address. To determine the Hardware ID, access the Cisco ISE direct-console CLI and enter the show inventory command. The output includes a line showing the PID, VID, and SN, similar to the following: PID: NAC3315, VID: V01, SN: ABCDEFG

Determining Your Hardware ID Using the Admin Portal Cisco ISE licenses are generated based on the Administration node hardware ID, not the MAC address. If your current license has not expired, you can view the Administration node hardware ID by completing the following steps: Step 1

From the Cisco ISE Administration interface, choose Administration > System > Licensing.

Step 2

In the License Operations navigation pane, click Current Licenses.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

D-4

OL-27044-01

Appendix D

Cisco ISE Licenses Adding or Upgrading a License

Step 3

Select the button corresponding to the Cisco ISE node that you want to check for the Administration node hardware ID, and click Administration Node to view the PID, VID, and SN.

Adding or Upgrading a License You can add a license only on a standalone or a primary Administration node. You can upgrade your existing Evaluation License on or before the expiration of the 90-day evaluation period. You have two options for upgrading or replacing your Evaluation License: •

Install a Base license and then choose whether to also install a Plus or Advanced license



Install a Wireless license

A single endpoint with multiple network connections may consume more than one Base, Plus, or Advanced License. This situation can occur, for example, if an endpoint has both a wired and a wireless network connection. Each unique authenticated connection will require its own license. Before You Begin

Make sure that you have obtained and installed an appropriate license on your Cisco ISE node. See Obtaining a Cisco ISE License from Cisco.com, page D-3 for more information. Step 1

From the Cisco ISE Administration interface, choose Administration > System > Licensing > Current Licenses.

Step 2

Click the radio button next to the license name that you want to upgrade, and click Edit.

Step 3

Click Add Services.

Step 4

Click Browse and select the Licence file.

Step 5

Click Import to import the new license file that supports the added service.

Step 6

Go back to the Current Licenses page to verify the addition of the upgraded license. For further confirmation, check the features of the respective services for which the license has been upgraded.

Note

The Current Licenses page displays the number of installed Plus and Advanced licenses in a combined Advance/Plus Counter. For example, if you have installed 500 Plus licenses and 1000 Advanced licenses, the Advance/Plus Counter displays 1500.

Related Topics •

Removing a License, page D-5

Removing a License You can remove individual Base, Plus, Advanced, and Wireless licenses, but keep in mind the following conditions: •

If the Plus or Advanced license count is greater than the Base license count, then the Base license cannot be deleted.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

D-5

Appendix D

Cisco ISE Licenses

Removing a License



If you install a combined license, all related installations in the Base and Advanced packages are also removed.



If you remove a production-level license within the standard 90-day evaluation period, the Evaluation License is automatically restored after you remove the production license.



You cannot remove Evaluation Licenses.

Before You Begin

If you have installed a Wireless Upgrade license after a Wireless license, you must remove the Wireless Upgrade license before you can remove the underlying Wireless license. Step 1

Choose Administration > System > Licensing > Current Licenses.

Step 2

Click the radio button next to the relevant node name, and click Edit.

Step 3

Click the radio button next to the license name that you want to delete and click Remove.

Step 4

Click OK.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

D-6

OL-27044-01

A P P E NDIX

E

Certificate Management in Cisco ISE Certificates are used in a network to provide secure access. Certificates are used to identify Cisco ISE to an endpoint and also to secure the communication between that endpoint and the Cisco ISE node. Certificates are used for all HTTPS communication and the Extensible Authentication Protocol (EAP) communication.

HTTPS Communication Using the Cisco ISE Certificate All Cisco ISE web portals from release 1.1.0 onwards are secured using the HTTPS (TLS-encrypted HTTP communication) protocol: •

Administration Portal



Centralized Web Authentication Portal



Sponsor Portal



Client Provisioning Portal



My Devices Portal

Figure E-1 shows an TLS-encrypted process when communicating with the Admin portal. Figure E-1

HTTPS (TLS-Encrypted HTTP Communication)

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-1

Appendix E

Certificate Management in Cisco ISE

EAP Communication Using the Cisco ISE Certificate

EAP Communication Using the Cisco ISE Certificate Certificates are used with almost all EAP methods. The following EAP methods are commonly used: •

EAP-TLS



PEAP



EAP-FAST

For tunneled EAP methods, such as PEAP and FAST, Transport Layer Security (TLS) is used to secure the credential exchange. Similar to a request to a HTTPS web site, the client establishes a connection with the server. The server presents its certificate to the client. If the client trusts the certificate, the TLS tunnel is formed. The client’s credentials are not sent to the server until after the tunnel is established, thereby ensuring a secure exchange. In a secure access deployment, the client is a supplicant, and the server is an ISE Policy Service node. Figure E-2 shows an example using PEAP. Figure E-2

EAP Communication

Certificates Enable Cisco ISE to Provide Secure Access The Cisco Identity Services Engine (ISE) relies on public key infrastructure (PKI) to provide secure communication with both endpoints and administrators, as well as between Cisco ISE nodes in a multinode deployment. PKI relies on X.509 digital certificates to transfer public keys for encryption and decryption of messages, and to verify the authenticity of other certificates representing users and devices. Cisco ISE provides the Admin Portal to manage the following two categories of X.509 certificates: •

Local certificates—These are server certificates that identify a Cisco ISE node to client applications. Every Cisco ISE node has its own local certificates, each of which are stored on the node along with the corresponding private key.



Certificate Store certificates—These are certificate authority (CA) certificates used to establish trust for the public keys received from users and devices. The Certificate Store also contains certificates that are distributed by the Simple Certificate Enrollment Protocol (SCEP), which enables registration of mobile devices into the enterprise network. Certificates in the Certificate Store are managed on the primary Administration node, and are automatically replicated to all other nodes in an Cisco ISE deployment.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-2

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Enabling PKI in Cisco ISE

In a distributed deployment, you must import the certificate only in to the certificate trust list (CTL) of the primary Administration node. The certificate gets replicated to the secondary nodes. In general, to ensure certificate authentication in Cisco ISE is not impacted by minor differences in certificate-driven verification functions, use lower case hostnames for all Cisco ISE nodes deployed in a network.

Enabling PKI in Cisco ISE You should enable PKI in Cisco ISE in the following way: Step 1

Establish local certificates on each deployment node for TLS-enabled authentication protocols (for example, EAP-TLS protocol), and for HTTPS, which is used by browser and REST clients to access the Cisco ISE web portals. By default, a Cisco ISE node is preinstalled with a self-signed certificate that is used for both purposes. In a typical enterprise environment, this certificate is replaced with one or two server certificates that are signed by a trusted CA.

Step 2

Populate the Certificate Store with the CA certificates that are necessary to establish trust with the user as well as device certificates that will be presented to Cisco ISE. If a certificate chain consisting of a root CA certificate plus one or more intermediate CA certificates is required to validate the authenticity of a user or device certificate, you must import the entire chain into the Certificate Store.

Related Topics •

See Local Certificates, page E-4 for details on how to generate a Certificate Signing Request and import a CA-signed certificate.



See Certificate Store, page E-24 for details on how to import these certificate chains.

The Cisco ISE nodes use HTTPS for inter-node communication, so an administrator must populate the Certificate Store with the trust certificate(s) needed to validate the HTTPS local certificate belonging to each node in the Cisco ISE deployment. If a default self-signed certificate is used for HTTPS, then you must export this certificate from each Cisco ISE node and import it into the certificate store. If you replace the self-signed certificates with CA-signed certificates, it is only necessary to populate the Certificate Store with the appropriate root CA and intermediate CA certificates. Be aware that you cannot register a node in a Cisco ISE deployment until you complete this step. If a Cisco ISE deployment is to be operated in FIPS mode, you must ensure that all local and certificate store certificates are FIPS-compliant. This means that each certificate must have a minimum key size of 2048 bytes, and use SHA-1 or SHA-256 encryption. Note

After you obtain a backup from a standalone Cisco ISE or primary Administration node, if you change the certificate configuration on one or more nodes in your deployment, you must obtain another backup to restore data. Otherwise, if you try to restore data using the older backup, communication between the nodes might fail.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-3

Appendix E

Certificate Management in Cisco ISE

Local Certificates

This chapter contains the following sections: •

Local Certificates, page E-4



Certificate Signing Requests, page E-23



Certificate Store, page E-24



Simple Certificate Enrollment Protocol Profiles, page E-29



OCSP Services, page E-30

Local Certificates Cisco ISE local certificates are server certificates that identify a Cisco ISE node to client applications. Local certificates are: •

Used by browser and REST clients who connect to Cisco ISE web portals. You must use HTTPS protocol for these connections.



Used to form the outer TLS tunnel with PEAP and EAP-FAST. These certificates can be used for mutual authentication with EAP-TLS, PEAP, and EAP-FAST.

You must install valid local certificates for HTTPS and EAP-TLS on each node in your Cisco ISE deployment. By default, a self-signed certificate is created on a Cisco ISE node during installation time, and this certificate is designated for HTTPS and EAP-TLS use (it has a key length of 1024 and is valid for one year). It is recommended that you replace the self-signed certificate with a CA-signed certificate for greater security.

Wildcard Certificates A wildcard certificate uses a wildcard notation (an asterisk and period before the domain name) and allows the certificate to be shared across multiple hosts in an organization. For example, the CN value for the Certificate Subject would be some generic hostname such as aaa.ise.local and the SAN field would include the same generic hostname and the wildcard notation such as DNS.1=aaa.ise.local and DNS.2=*.ise.local If you configure a wildcard certificate to use *.ise.local, you can use the same certificate to secure any other host whose DNS name ends with “.ise.local,” such as: •

aaa.ise.local



psn.ise.local



mydevices.ise.local



sponsor.ise.local

Figure E-3 shows an example of a wildcard certificate that is used to secure a web site.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-4

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

Figure E-3

Wildcard Certificate Example

Wildcard certificates secure communications in the same way as a regular certificate, and requests are processed using the same validation methods. Related Topics •

Wildcard Certificates for HTTPS and EAP Communication, page E-5



Wildcard Certificate Support in Cisco ISE, Release 1.2, page E-6



Fully Qualified Domain Name in URL Redirection, page E-6



Wildcard Certificate Compatibility, page E-8



Creating a Wildcard Certificate, page E-8



Installing Wildcard Certificates in Cisco ISE, page E-10

Wildcard Certificates for HTTPS and EAP Communication You can use wildcard server certificates in Cisco ISE for HTTPS (web-based services) and EAP protocols that use SSL/TLS tunneling. With the use of wildcard certificates, you no longer have to generate a unique certificate for each Cisco ISE node. Also, you no longer have to populate the SAN field with multiple FQDN values to prevent certificate warnings. Using an asterisk (*) in the SAN field allows you to share a single certificate across multiple nodes in a deployment and helps prevent certificate name mismatch warnings. However, use of wildcard certificates is considered less secure than assigning a unique server certificate for each Cisco ISE node.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-5

Appendix E

Certificate Management in Cisco ISE

Local Certificates

Note

If you use wildcard certificates, we strongly recommend that you partition your domain space for greater security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do not partition your domain, it can lead to serious security issues. Wildcard certificate uses an asterisk (*) and a period before the domain name. For example, the CN value for a certificate’s Subject Name would be a generic host name such as aaa.ise.local and the SAN field would have the wildcard character such as *.ise.local. Cisco ISE supports wildcard certifications in which the wildcard character (*) is the left most character in the presented identifier. For example, *.example.com or *.ind.example.com. Cisco ISE does not support certificates in which the presented identifier contains additional characters along with the wildcard character. For example, abc*.example.com or a*b.example.com or *abc.example.com.

Wildcard Certificate Support in Cisco ISE, Release 1.2 Cisco ISE release 1.2 supports wildcard certificates. Prior to release 1.2, Cisco ISE verifies any certificate enabled for HTTPS to ensure the CN field matches the Fully Qualified Domain Name (FQDN) of the host exactly. If the fields did not match, the certificate could not be used for HTTPS communication. Prior to release 1.2, Cisco ISE uses that CN value to replace the variable in the url-redirect A-V pair string. For all Centralized Web Authentication (CWA), onboarding, posture redirection, and so on, the CN value is used. Cisco ISE 1.2 uses the hostname as the CN instead of relying on the CN field.

Fully Qualified Domain Name in URL Redirection When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following: url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI: ISE /admin(config)# ip host IP_address host-alias FQDN-string where IP_address is the IP address of the network interface (eth1 or eth2 or eth3) host-alias is the name that you assign to the network interface FQDN-string is the fully qualified domain name of the network interface Using this command, you can assign a host-alias or an FQDN-string or both to a network interface. Here is an example: ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com

After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco ISE using the application start ise command.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-6

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

Use the no form of this command to remove the association of the host alias with the network interface: ISE/admin(config)# no ip-host IP_address host-alias FQDN-string Use the show running-config command to view the host alias definitions. If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL. When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields.

Advantages of Using Wildcard Certificates •

Cost savings. Certificates signed by a third party Certificate Authority is expensive, especially as the number of servers increase. Wildcard certificates may be used on multiple nodes in the Cisco ISE deployment.



Operational efficiency. Wildcard certificates allow all Policy Service Node (PSN) EAP and web services to share the same certificate. In addition to significant cost savings, certificate administration is also simplified by creating the certificate once and applying it on all the PSNs.



Reduced authentication errors. Wildcard certificates address issues seen with Apple iOS devices where the client stores trusted certificates within the profile, and does not follow the iOS keychain where the signing root is trusted. When an iOS client first communicates with a PSN, it does not explicitly trust the PSN certificate, even though a trusted Certificate Authority has signed the certificate. Using a wildcard certificate, the certificate will be the same across all PSNs, so the user only has to accept the certificate once and successive authentications to different PSNs proceed without error or prompting.



Simplified supplicant configuration. For example, Microsoft Windows supplicant with PEAP-MSCHAPv2 and server certificate trust enabled requires that you specify each of the server certificate to trust, or the user may be prompted to trust each PSN certificate when the client connects using a different PSN. With wildcard certificates, a single server certificate can be trusted rather than individual certificates from each PSN.



Wildcard certificates result in an improved user experience with less prompting and more seamless connectivity.

Disadvantages of Using Wildcard Certificates The following are some of the security considerations related to wildcard certificates: •

Loss of auditability and nonrepudiation



Increased exposure of the private key



Not common or understood by administrators

Wildcard certificates are considered less secure than a unique server certificate per ISE node. But, cost and other operational factors outweigh the security risk. Security devices such as ASA also support wildcard certificates.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-7

Appendix E

Certificate Management in Cisco ISE

Local Certificates

You must be careful when deploying wildcard certificates. For example, if you create a certificate with *.company.local and an attacker is able to recover the private key, that attacker can spoof any server in the company.local domain. Therefore, it is considered a best practice to partition the domain space to avoid this type of compromise. To address this possible issue and to limit the scope of use, wildcard certificates may also be used to secure a specific subdomain of your organization. Add an asterisk (*) in the subdomain area of the common name where you want to specify the wildcard. For example, if you configure a wildcard certificate for *.ise.company.local, that certificate may be used to secure any host whose DNS name ends in “.ise.company.local”, such as: •

psn.ise.company.local



mydevices.ise.company.local



sponsor.ise.company.local

Wildcard Certificate Compatibility Wildcard certificates are usually created with the wildcard listed as the Common Name (CN) of the Certificate Subject, such as the example in Figure E-3. Cisco ISE release 1.2 supports this type of construction. However, not all endpoint supplicants support the wildcard character in the Certificate Subject. All Microsoft native supplicants tested (including Windows Mobile) do not support wildcard character in the Certificate Subject. You can use another supplicant, such as Cisco AnyConnect Network Access Manager (NAM) that might allow the use of wildcard character in the Subject field. You can also use special wildcard certificates such as DigiCert's Wildcard Plus that is designed to work with incompatible devices by including specific subdomains in the Subject Alternative Name of the certificate. Although the Microsoft supplicant limitation appears to be a deterrent to using wildcard certificates, there are alternative ways to create the wildcard certificate that allow it to work with all devices tested for secure access, including the Microsoft native supplicants. To do this, instead of using the wildcard character in the Subject, you must use the wildcard character in the Subject Alterative Name (SAN) field instead. The SAN field maintains an extension designed for checking the domain name (DNS name). See RFCs 6125 and 2128 for more information. For more information on Microsoft support of wildcard certificates, see: http://technet.microsoft.com/en-US/cc730460

Creating a Wildcard Certificate This section describes how to create a wildcard certificate. This procedure would work for most SSL certificate providers. However, if your SSL certificate provider does not support wildcard values in the SAN field of the certificate, then you must populate the certificate SAN with the FQDN of each ISE node and interface (per the alias specified using the ip host command). This certificate is known as a multi-domain certificate. FQDNs for specific service aliases such as those used for the My Devices and Sponsor portals should also be included in the certificate SAN. Some services such as Local Web Authentication to the

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-8

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

ISE Admin portal, Sponsor portal, and the My Devices portal can use a load balancer. In these cases, the FQDN assigned to the virtual IP address of the load-balanced service should be included in the SAN field of the certificate. Note

It is possible to have separate certificates for HTTPS and EAP authentication. The certificate designated for HTTPS is used to secure inter-node communications and all web portal services including Central Web Authentication, DRW, Posture Discovery and Assessment, Mobile Device Management, Native Supplicant Provisioning, Sponsor, and My Devices portals. The certificate designated for EAP is used to secure all client authentication using EAP protocols including PEAP, EAP-TLS, and EAP-FAST. For example, if you have an ISE deployment with two PSN nodes (psn1 and psn2 with eth0, eth1, and eth2 interfaces enabled) and you want to create a multi-domain certificate without wildcards, then your values would be: CN=aaa.company.local (FQDN of an ISE node in the deployment) SAN=DNS.1=aaa.company.local, DNS.2=psn1.company.local, DNS.3=psn2.company.local, DNS.4=psn1-e1.company.local, DNS.5=psn2-e1.company.local, DNS.6=psn1-e2.company.local, DNS.7=psn2-e2.company.local.

Tip

If you are planning to deploy additional Policy Service nodes in the future, then you can add additional DNS name entries in the SAN field so that you can reuse the same certificate at the time of deploying the new nodes. For cases where an IP address needs to be specified in the SAN field of the certificate (for example, DMZ with a static IP address for URL re-direction), ensure that you specify the IP address of the policy service node as the DNS Name and IP Address in the SAN field of the certificate. For example, CN=psn.ise.local and SAN=DNS.1=psn.ise.local, DNS.2=*.ise.local, DNS.3=10.1.1.20, IP.1=10.1.1.20. Before You Begin

For Microsoft native supplicants, use the wildcard character in the SAN field of the certificate. Step 1

Enter a generic hostname for the CN field of the Subject. For example, CN=aaa.ise.local.

Step 2

Enter the same generic hostname and a wildcard notation in the SAN field of the certificate. For example, DNS Name=aaa.ise.local, DNS Name=*.ise.local. See Figure E-3. This method is successful with the majority of the tested public Certificate Authorities such as Comodo.com and SSL.com. With these public CAs, you must request a “Unified Communications Certificate (UCC).”

What To Do Next

Import the wildcard certificates in to the Policy Service nodes. Related Topics

Installing Wildcard Certificates in Cisco ISE, page E-10

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-9

Appendix E

Certificate Management in Cisco ISE

Local Certificates

Installing Wildcard Certificates in Cisco ISE Before You Begin

If you have enabled non-eth0 interfaces, ensure that you map a host alias to that interface using the ip host command from the CLI. See Fully Qualified Domain Name in URL Redirection for more information. To install wildcard certificates, you must perform the following tasks: Step 1

Create the Certificate Signing Request for Wildcard Certificates. See Creating a Certificate Signing Request for Wildcard Certificates, page E-10.

Step 2

Export the Certificate Signing Request. See Exporting the Certificate Signing Request, page E-11.

Step 3

Submit the Certificate Signing Request to a Certificate Authority. See Submitting the CSR to a Certificate Authority, page E-11.

Step 4

Import the Root Certificates to the Certificate Store. See Importing the Root Certificates to the Certificate Store, page E-12.

Step 5

Bind the Certificate Signing Request with the new public certificate. See Binding the CSR With the New Public Certificate, page E-13.

Step 6

Export the CA-Signed Certificate and Private Key. See Exporting the CA-Signed Certificate and Private Key, page E-13.

Step 7

Import the CA-Signed Certificate and Private Key in to all the Policy Service nodes. See Importing the CA-Signed Certificate to the Policy Service Nodes, page E-13.

Creating a Certificate Signing Request for Wildcard Certificates Step 1

Choose Administration > Certificates > Local Certificates.

Step 2

Click Add > Generate Certificate Signing Request.

Step 3

In the Certificate Subject, enter the generic FQDN of any one of your Policy Service nodes. For example, CN=psn.ise.local.

Step 4

Enter two values for the SAN. One of the values must be same as the CN that you entered for the Certificate Subject. The other value is the wildcard notation. For example, DNS name=psn.ise.local, DNS name=*.ise.local.

Step 5

Check the Allow Wildcard Certificates check box.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-10

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

Figure E-4

Step 6

Certificate Signing Request Using a Wildcard Notation

Click Submit.

Exporting the Certificate Signing Request Step 1

Choose Administration > Certificates > Certificate Signing Requests.

Step 2

Check the check box next to the CSR that you generated. For example, psn.ise.local.

Step 3

Click Export.

Step 4

Save the CSR to your local system.

Submitting the CSR to a Certificate Authority Step 1

Open the CSR in a text editor such as Notepad.

Step 2

Copy all the text from “-----BEGIN CERTIFICATE REQUEST-----” through “-----END CERTIFICATE REQUEST-----.”

Step 3

Paste the contents of the CSR in to the certificate request of a chosen CA. See Figure E-5.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-11

Appendix E

Certificate Management in Cisco ISE

Local Certificates

Figure E-5

Step 4

CSR Content in a Certificate Request Form - Active Directory CA

Download the signed certificate. Some CAs might email the signed certificate to you. The signed certificate is in the form of a zip file that contains the newly issued certificate and the public signing certificates of the CA that you must add to the Cisco ISE trusted certificate store. See Figure E-6. Figure E-6

Certificates Returned By the CA

Importing the Root Certificates to the Certificate Store Before You Begin

Before we bind the newly signed certificate to the CSR on Cisco ISE, ensure that the signing root certificates exist in the Cisco ISE Certificate Store. Step 1

Choose Administration > Certificates > Certificate Store.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-12

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

Step 2

Click Import.

Step 3

Choose the root certificates returned by your CA.

Binding the CSR With the New Public Certificate Step 1

Choose Administration > Certificates > Local Certificates.

Step 2

Click Add > Bind CA signed Certificate.

Step 3

Choose the CA-signed certificate.

Step 4

Check the Allow Wildcard Certificates check box.

Step 5

Choose the protocol.

Step 6

Click Submit.

Exporting the CA-Signed Certificate and Private Key Step 1

Choose Administration > Certificates > Local Certificates.

Step 2

Check the check box next to the CA-signed certificate and click Export.

Step 3

Save the file to your local system.

Importing the CA-Signed Certificate to the Policy Service Nodes Step 1

Choose Administration > Certificates > Certificate Store.

Step 2

Choose the CA-signed certificate that you exported.

Step 3

Click Submit.

Installing a CA-Signed Certificate in Cisco ISE The procedure for installing a CA-signed certificate is as follows: Step 1

In the Cisco ISE administration interface of the node requiring the CA-signed certificate, generate a Certificate Signing Request (CSR).

Step 2

Export the CSR into a file.

Step 3

Provide the CSR file to the Certificate Authority and request the CA to create and sign a certificate using the attributes specified in the CSR. The CA should return the certificate in a file.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-13

Appendix E

Certificate Management in Cisco ISE

Local Certificates

Step 4

In the Cisco ISE administration interface of the same node, bind the CA-signed certificate to its private key, which is kept with the CSR on the node. Designate the certificate for HTTPS and/or EAP-TLS use.

Note

If you are going to use the CA-signed certificate for HTTPS, the subject Common Name value specified for the CSR must match the fully qualified domain name (FQDN) of the Cisco ISE node, or must match the wildcard domain name specified in the SAN/CN field of the certificate. Cisco ISE checks for a matching subject name as follows:

Note

1.

Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.

2.

If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3.

If no match is found, the certificate is rejected.

X.509 certificates imported to Cisco ISE must be in privacy-enhanced mail (PEM) or distinguished encoding rule (DER) format. Files containing a certificate chain, which is a local certificate along with the sequence of trust certificates that sign it, can be imported, subject to certain restrictions. See Importing Certificate Chains, page E-28 for more information. X.509 certificates are only valid until a specific date. When a local certificate expires, the Cisco ISE functionality that depends on the certificate is impacted. Cisco ISE will notify you about the pending expiration of a local certificate when the expiration date is within 90 days. This notification appears in several ways: •

Colored expiration status icons appear in the Local Certificates page.



Expiration messages appear in the Cisco ISE System Diagnostic report.



Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before expiration.

If the expiring certificate is a self-signed certificate, you can extend its expiration date by editing the certificate. For a CA-signed certificate, you must allow sufficient time to acquire replacement certificate from your CA. You can perform the following tasks from the Cisco ISE administration interface to manage local certificates: •

View a list of the local certificates stored on an Cisco ISE node. The list shows the protocol assignment (HTTPS, EAP-TLS) of each certificate, along with its expiration status.



Generate a CSR



Export a CSR



Bind a CA-signed certificate to its private key



Export a local certificate and, optionally, its private key



Import a local certificate and its private key

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-14

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates



Generate a self-signed local certificate



Edit a local certificate, which includes extending the expiration date if the certificate is self-signed



Delete a local certificate



Delete a CSR

This section contains the following topics: •

Viewing Local Certificates, page E-15



Adding a Local Certificate, page E-16



Editing a Local Certificate, page E-21



Exporting a Local Certificate, page E-22

Related Topics •

Wildcard Certificates, page E-4



Fully Qualified Domain Name in URL Redirection, page E-6



Importing a Local Certificate, page E-16



Generating a Certificate Signing Request, page E-19



Binding a CA-Signed Certificate, page E-20

Viewing Local Certificates The Local Certificate page lists all the local certificates added to Cisco ISE. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Local Certificates. The Local Certificate page appears and provides the following information for the local certificates: •

Friendly Name—Name of the certificate.



Protocol—Protocols for which to use this certificate.



Issued To—Common Name of the certificate subject.



Issued By—Common Name of the certificate issuer



Valid From—Date on which the certificate was created, also know as the Not Before certificate attribute.



Expiration Date—Expiration date of the certificate, also known as the Not After certificate attribute.



Expiration Status—Indicates when the certificate expires. There are five categories along with an associated icon that appear here: 1.

Expiring in more than 90 days (green icon)

2.

Expiring in 90 days or less (blue icon)

3.

Expiring in 60 days or less (yellow icon)

4.

Expiring in 30 days or less (orange icon)

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-15

Appendix E

Certificate Management in Cisco ISE

Local Certificates

5.

Expired (red icon)

Related Topics •

Wildcard Certificates, page E-4

Adding a Local Certificate You can add a local certificate to Cisco ISE in one of the following ways: •

Importing a Local Certificate, page E-16



Generating a Self-Signed Certificate, page E-18



Generating a Certificate Signing Request, page E-19 and Binding a CA-Signed Certificate, page E-20

If you are planning to import a wildcard certificate, ensure that you have read the following sections:

Note



Wildcard Certificates, page E-4



Creating a Wildcard Certificate, page E-8



Installing Wildcard Certificates in Cisco ISE, page E-10

If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.

Importing a Local Certificate You can add a new local certificate by importing a local certificate. Before You Begin

Ensure that you have the local certificate and the private key file on the system that is running the client browser. To perform the following task, you must be a Super Admin or System Admin. If the local certificate that you import contains the basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and the keyEncipherment bit or the keyAgreement bit or both are set. Step 1

Choose Administration > System > Certificates > Local Certificates. To import a local certificate to a secondary node, choose Administration > System > Server Certificate.

Step 2

Choose Add > Import Local Server Certificate.

Step 3

Click Browse to choose the certificate file and the private key from the system that is running your client browser. If the private key is encrypted, enter the Password to decrypt it.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-16

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

Step 4

Enter a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format ## where is a unique five-digit number.

Step 5

Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate certificate extensions. If you check the Enable Validation of Certificate Extensions check box and the certificate that you are importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.

Step 6

Check the Allow Wildcard Certificates check box if you want to import a wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name.

Step 7

In the Protocol group box: •

Check the EAP check box to use this certificate for EAP protocols to identify the Cisco ISE node.



Check the HTTPS check box to use this certificate to authenticate the web server. If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard notation if a wildcard certificate is used. Otherwise, the import process will fail.

Step 8

Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate. This option updates the content of the certificate, but retains the existing protocol selections for the certificate. Note

Step 9

If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or greater in size and use either SHA-1 or SHA-256 hash algorithm.

Click Submit to import the local certificate. If you import a local certificate to your primary Cisco ISE node and the management interface option is enabled on the node in your deployment, Cisco ISE automatically restarts the application server on the node. Otherwise, you must restart the secondary nodes that are connected to your primary Cisco ISE node. To restart the secondary nodes from the CLI, enter the following commands in the given order: a.

application stop ise

b.

application start ise

Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.2 for more information on these commands.

Related Topics •

Wildcard Certificates, page E-4



Creating a Wildcard Certificate, page E-8



Installing Wildcard Certificates in Cisco ISE, page E-10

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-17

Appendix E

Certificate Management in Cisco ISE

Local Certificates

Generating a Self-Signed Certificate You can add a new local certificate by generating a self-signed certificate. Cisco recommends that you only employ self-signed certificates for your internal testing and evaluation needs. If you are planning to deploy Cisco ISE in a production environment, be sure to use CA-signed certificates whenever possible to ensure more uniform acceptance around a production network. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Local Certificates. To generate a self-signed certificate from a secondary node, choose Administration > System > Server Certificate.

Step 2

Choose Add > Generate Self Signed Certificate.

Step 3

Enter the following information in the Generate Self Signed Certificate page: •

Certificate Subject—A distinguished name (DN) identifying the entity that is associated with the certificate. The DN must include a Common Name (CN) value.



Subject Alternative Name—A DNS name or IP Address that is associated with the certificate.



Required Key Length—Valid values are 512, 1024, 2048, and 4096. If you are deploying Cisco ISE as a FIPS-compliant policy management-engine, you must specify a 2048-bit or larger key length.



Digest to Sign With—You can choose to encrypt and decrypt certificates using either SHA-1 or SHA-256.



Certificate Expiration TTL. You can specify an expiration time period in days, weeks, months, or years.



If you would like to specify a Friendly Name for the certificate, enter it in the field below the private key password. If you do not specify a name, Cisco ISE automatically creates a name in the format ## where is a unique five-digit number.

Step 4

Check the Allow Wildcard Certificates check box if you want to generate a self-signed wildcard certificate (a certificate that contains an asterisk (*) in any Common Name in the Subject and/or the DNS name in the Subject Alternative Name. For example, DNS name assigned to the SAN can be *.amer.cisco.com.

Step 5

In the Protocol group box: •

Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.



Check the HTTPS check box to use this certificate to authenticate the Cisco ISE portals. If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node. Otherwise, the self-signed certificate will not be generated. If the HTTPS check box is checked, then the application server on the Cisco ISE node will be restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment, then the application server on all other nodes in the deployment will also be restarted. They will restart one node at a time, after the Primary Administration node restart has completed.

Step 6

In the Override Policy area, check the Replace Certificate check box to replace an existing certificate with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate. This option updates the content of the certificate, but retains the existing protocol selections for the certificate.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-18

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates

Step 7

Note

Click Submit to generate the certificate.

If you are using a self-signed certificate and you must change the hostname of your Cisco ISE node, you must log in to the Admin portal of the Cisco ISE node, delete the self-signed certificate that has the old hostname, and generate a new self-signed certificate. Otherwise, Cisco ISE will continue to use the self-signed certificate with the old hostname. Related Topics •

Wildcard Certificates, page E-4



Installing Wildcard Certificates in Cisco ISE, page E-10

Generating a Certificate Signing Request You can add a new local certificate by generating a certificate signing request and then binding a CA-signed certificate. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Local Certificates. To generate a CSR from a secondary node, choose Administration > System > Server Certificate.

Step 2

Choose Add > Generate Certificate Signing Request.

Step 3

Enter the certificate subject and the required key length. The certificate subject is a distinguished name (DN) identifying the entity that is associated with the certificate. The DN must include a common name value. Elements of the distinguished name are: •

C = Country



ST = Test state or province



L = Test locality (City)



O = Organization name



OU = Organizational unit name



CN = Common name



E = E-mail address

For example, the Certificate Subject in a CSR can take the following values: “CN=Host-ISE.cisco.com, OU=Cisco, O=security, C=US, ST=NC, L=RTP, [email protected]” or “CN=aaa.amer.cisco.com, DNS name in SAN=*.amer.cisco.com, OU=Cisco, O=security, C=US, ST=NC, L=RTP, [email protected].” Note

When populating the Certificate Subject field, do not encapsulate the string in quotation marks.

If you intend to use the certificate generated from this CSR for HTTPS communication, ensure that the common name value in the Certificate Subject is the FQDN of the node. Otherwise, you will not be able to select Management Interface when binding the generated certificate. Step 4

Subject Alternative Name—A DNS name or IP Address that is associated with the certificate. Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01

E-19

Appendix E

Certificate Management in Cisco ISE

Local Certificates

Step 5

Choose to encrypt and decrypt certificates using either SHA-1 or SHA-256. Note

If Cisco ISE is set to operate in FIPS mode, the certificate RSA key size must be 2048 bits or greater in size and use either SHA-1 or SHA-256 hash algorithm.

Step 6

Check the Allow Wildcard Certificates check box if the Certificate Subject contains a CN or SAN with a wildcard FQDN.

Step 7

Click Submit to generate a CSR. A CSR and its private key are generated and stored in Cisco ISE. You can view this CSR in the Certificate Signing Requests page. You can export the CSR and send it to a CA to obtain a signature.

Related Topics •

Wildcard Certificates, page E-4



Creating a Certificate Signing Request for Wildcard Certificates, page E-10

Binding a CA-Signed Certificate After a Certificate Signing Request is signed by a Certificate Authority and returned to you, you must bind the CA-signed certificate with its private key to complete the process of adding a local certificate in Cisco ISE. Before You Begin • Step 1

To perform the following task, you must be a Super Admin or System Admin.

Choose Administration > System > Certificates > Local Certificates. To bind a CA-signed certificate to a secondary node, choose Administration > System > Server Certificate.

Step 2

Choose Add > Bind CA Certificate.

Step 3

Click Browse to choose the CA-signed certificate and choose the appropriate CA-signed certificate.

Step 4

Specify a Friendly Name for the certificate. If you do not specify a name, Cisco ISE automatically creates a name in the format ## where is a unique five-digit number.

Step 5

Check the Enable Validation of Certificate Extensions check box if you want Cisco ISE to validate certificate extensions. Note

If you enable the Enable Validation of Certificate Extensions option, and the certificate that you are importing contains a basic constraints extension with the CA flag set to true, ensure that the key usage extension is present, and that the keyEncipherment bit or the keyAgreement bit, or both, are also set.

Step 6

Check the Allow Wildcard Certificates check box to bind a certificate that contains the wildcard character, asterisk (*) in any CN in the Subject or DNS in the Subject Alternative Name.

Step 7

In the Protocol group box:

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-20

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Local Certificates



Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.



Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal. If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard notation if a wildcard certificate is used. Otherwise, the bind operation will fail. If the HTTPS check box is checked, then the application server on the Cisco ISE node will be restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment, then the application server on all other nodes in the deployment will also be restarted. They will restart one node at a time, after the Primary Administration node restart has completed.

Step 8

Check the Replace Certificate check box to replace an existing certificate with a duplicate certificate. A certificate is considered a duplicate if it has the same subject or issuer and the same serial number as an existing certificate. This option updates the content of the certificate, but retains the existing protocol selections for the certificate.

Step 9

Click Submit to bind the CA-signed certificate.

Related Topics •

Wildcard Certificates, page E-4



Installing Wildcard Certificates in Cisco ISE, page E-10

Editing a Local Certificate You can use this page to edit local certificates. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Local Certificates. To edit a local certificate on a secondary node, choose Administration > System > Server Certificate.

Step 2

Check the check box next to the certificate that you want to edit, and click Edit.

Step 3

You can edit the following: •

Friendly name



Description



Protocols



Expiration TTL (if the certificate is self-signed)

Step 4

Enter an optional friendly name and description to identify this certificate.

Step 5

In the Protocol group box: •

Check the EAP check box to use this certificate for EAP protocols that use SSL/TLS tunneling.



Check the HTTPS check box to use this certificate to authenticate the Cisco ISE web portal.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-21

Appendix E

Certificate Management in Cisco ISE

Local Certificates

If the HTTPS check box is checked, then the application server on the Cisco ISE node will be restarted. In addition, if the Cisco ISE node is the Primary Administration node in a deployment, then the application server on all other nodes in the deployment will also be restarted. They will restart one node at a time, after the Primary Administration node restart has completed. Note

If you check the Management Interface check box, ensure that the Common Name value in the Certificate Subject matches the fully qualified domain name (FQDN) of the node or a wildcard notation if a wildcard certificate is used. If the Common Name value is blank, the edit operation will fail. For example, if local_certificate_1 is currently designated for EAP and you check the EAP check box while editing local_certificate_2, then after you save the changes to local_certificate_2, local_certificate_1 will no longer be associated with EAP.

Step 6

Check the Renew Self Signed Certificate check box if you are editing a self-signed certificate and want to extend the Expiration Date.

Step 7

Enter the Expiration TTL (Time to Live) in days, weeks, months, or years.

Step 8

Click Save to save your changes.

Related Topics •

Wildcard Certificates, page E-4



Creating a Wildcard Certificate, page E-8



Installing Wildcard Certificates in Cisco ISE, page E-10

Exporting a Local Certificate You can export a selected local certificate or a certificate and its associated private key. If you export a certificate and its private key for backup purposes, you can reimport them later if needed. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Local Certificates. To export a local certificate from a secondary node, choose Administration > System > Server Certificate.

Step 2

Check the check box next to the certificate that you want to export and then click Export.

Step 3

Choose whether to export only the certificate, or the certificate and its associated private key.

Tip

Step 4

We do not recommend exporting the private key associated with a certificate because its value may be exposed. If you must export a private key, specify an encryption password for the private key. You will need to specify this password while importing this certificate into another Cisco ISE server to decrypt the private key. Choose the certificate component that you want to export.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-22

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Certificate Signing Requests

Step 5

Enter the password if you have chosen to export the private key. The password should be at least 8 characters long.

Step 6

Click OK to save the certificate to the file system that is running your client browser. If you export only the certificate, the certificate is stored in the privacy-enhanced mail format. If you export both the certificate and private key, the certificate is exported as a .zip file that contains the certificate in the privacy-enhanced mail format and the encrypted private key file.

Related Topics •

Importing a Local Certificate, page E-16

Certificate Signing Requests The list of Certificate Signing Requests (CSRs) that you have created is available in the Certificate Signing Requests page. To obtain signatures from a CA, you must export the CSRs to the local file system that is running your client browser. You must then send the certificates to a CA. The CA will sign and return your certificates. Note

If your Cisco ISE deployment has multiple nodes in a distributed setup, you must export the CSRs from each node in your deployment individually. Related Topic

Exporting Certificate Signing Requests, page E-23

Exporting Certificate Signing Requests You can use this page to export certificate signing requests. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Certificate Signing Requests. If you want to export CSRs from a secondary node, choose Administration > System > Certificate Signing Requests.

Step 2

Check the check box next to the certificates that you want to export, and click Export.

Step 3

Click OK to save the file to the file system that is running the client browser.

Related Topics •

Wildcard Certificates, page E-4

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-23

Appendix E

Certificate Management in Cisco ISE

Certificate Store

Certificate Store The Cisco ISE Certificate Store contains X.509 certificates that are used for trust and for Simple Certificate Enrollment Protocol (SCEP). The certificates in the Certificate Store are managed on the primary administration node, and are replicated to every node in the Cisco ISE deployment. Cisco ISE supports wildcard certificates. Cisco ISE uses the Certificate Store certificates for the following purposes: •

To verify client certificates used for authentication by endpoints, and by Cisco ISE administrators accessing the Admin Portal using certificate-based administrator authentication.



To enable secure communication between Cisco ISE nodes in a deployment. The Certificate Store must contain the chain of CA certificates needed to establish trust with the local HTTPS server certificate on each node in a deployment. – If a self-signed certificate is used for the server certificate, the self-signed certificate from each

node must be placed in the Certificate Store of the primary Administration node. – If a CA-signed certificate is used for the server certificate, the CA root certificate, as well as

any intermediate certificates in the trust chain, must be placed in the Certificate Store of the primary Administration node. •

To enable secure LDAP authentication. A certificate from the Certificate Store must be selected when defining an LDAP identity source that will be accessed over SSL.



For distribution to mobile devices preparing to register in the network using the My Devices portal. Cisco ISE implements the SCEP on Policy Service Nodes (PSN) to support mobile device registration. A registering device uses the SCEP protocol to request a client certificate from a PSN. The PSN contains a registration authority (RA) that acts as an intermediary; it receives and validates the request from the registering device, and then forwards the request to a CA, which actually issues the client certificate. The CA sends the certificate back to the RA, which returns it to the device. Each SCEP CA used by Cisco ISE is defined by a SCEP RA Profile. When a SCEP RA Profile is created, two certificates are automatically added to the Certificate Store: a. A CA certificate (a self-signed certificate) b. An RA certificate (a Certificate Request Agent certificate), which is signed by the CA.

The SCEP protocol requires that these two certificates be provided by the RA to a registering device. By placing these two certificates in the Certificate Store, they are replicated to all PSN nodes for use by the RA on those nodes. Note

X.509 certificates imported to Cisco ISE must be in Privacy-Enhanced Mail (PEM) or Distinguished Encoding Rule (DER) format. Files containing a certificate chain, that is, a local certificate along with the sequence of trust certificates that sign it, can be imported, subject to certain restrictions. Related Topics •

Simple Certificate Enrollment Protocol Profiles, page E-29



Importing Certificate Chains, page E-28



Expiration of X.509 Certificates, page E-25



CA Certificate Naming Constraint, page E-25



Viewing Certificate Store Certificates, page E-26



Changing the Status of a Certificate in Certificate Store, page E-26

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-24

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Certificate Store



Adding a Certificate to Certificate Store, page E-27



Editing a Certificate Store Certificate, page E-27



Exporting a Certificate from the Certificate Store, page E-27

Expiration of X.509 Certificates X.509 certificates are only valid until a specific date. Once a Certificate Store certificate expires, the Cisco ISE functionality that depends on the certificate is impacted. Cisco ISE notifies you about the pending expiration of a certificate when the expiration date is within 90 days. This notification appears in several ways: •

Colored expiration status icons appear in the Certificate Store page.



Expiration messages appear in the Cisco ISE System Diagnostic report.



Expiration alarms are generated at 90 days, 60 days, and every day in the final 30 days before expiration.

The Certificate Store is prepopulated with two Cisco CA certificates: a Manufacturing certificate and a Root certificate. The Root certificate signs the Manufacturing certificate. These certificates are disabled by default. If you have Cisco IP phones as endpoints in your deployment, you should enable these two certificates so the Cisco-signed client certificates for the phones can be authenticated. This section contains the following topics: •

Viewing Certificate Store Certificates, page E-26



Adding a Certificate to Certificate Store, page E-27



Editing a Certificate Store Certificate, page E-27



Exporting a Certificate from the Certificate Store, page E-27



Importing Certificate Chains, page E-28



Installation of CA Certificates for Cisco ISE Inter-node Communication, page E-28

CA Certificate Naming Constraint A CA certificate in CTL may contain a name constraint extension. This extension defines a namespace for values of all subject name and subject alternative name fields of subsequent certificates in a certificate chain. Cisco ISE does not check constraints specified in a root certificate. The following name constraints are supported: •

Directory name The Directory name constraint should be a prefix of the directory name in subject/SAN. For example, – Correct subject prefix:

CA certificate name constraint: Permitted: O=Cisco Client certificate subject: O=Cisco,CN=Salomon – Incorrect subject prefix:

CA certificate name constraint: Permitted: O=Cisco Client certificate subject: CN=Salomon,O=Cisco

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-25

Appendix E

Certificate Management in Cisco ISE

Certificate Store



DNS



E-mail



URI (The URI constraint must start with a URI prefix such as http://, https://, ftp://, or ldap://).

The following name constraints are not supported: •

IP address



Othername

When a CA certificate contains a constraint that is not supported and certificate that is being verified does not contain appropriate field, it is rejected because Cisco ISE cannot verify unsupported constraints. The following is an example of the name constraints definition within the CA certificate: X509v3 Name Constraints: critical Permitted: othername: email:.abcde.at email:.abcde.be email:.abcde.bg email:.abcde.by DNS:.dir DirName: DC = dir, DC = emea DirName: C = AT, ST = EMEA, L = DirName: C = BG, ST = EMEA, L = DirName: C = BE, ST = EMEA, L = DirName: C = CH, ST = EMEA, L = URI:.dir IP:172.23.0.171/255.255.255.255 Excluded: DNS:.dir URI:.dir

AT, BG, BN, CH,

O O O O

= = = =

ABCDE ABCDE ABCDE ABCDE

Group, Group, Group, Group,

OU OU OU OU

= = = =

Domestic Domestic Domestic Service Z100

An acceptable client certificate subject that matches the above definition is as follows: Subject: DC=dir, DC=emea, OU=+DE, OU=OU-Administration, OU=Users, OU=X1, CN=cwinwell

Viewing Certificate Store Certificates The Certificate Store page lists all the CA certificates that have been added to Cisco ISE. To view the CA certificates, you must be a Super Admin or System Admin. To view all the certificates, choose Administration > System > Certificates > Certificate Store. The Certificate Store page appears, listing all the CA certificates.

Changing the Status of a Certificate in Certificate Store The status of a certificate must be enabled so that Cisco ISE can use the certificate for establishing trust. When a certificate is imported into the Certificate Store, it is automatically enabled. Step 1

Choose Administration > System > Certificates > Certificate Store.

Step 2

Check the check box next to the certificate you want to enable or disable, and click Change Status.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-26

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Certificate Store

Adding a Certificate to Certificate Store The Certificate Store page allows you to add CA certificates to Cisco ISE. Before You Begin •

To perform the following task, you must be a Super Admin or System Admin.



Ensure that the certificate store certificate resides on the file system of the computer where your browser is running. The certificate must be in PEM or DER format.

Step 1

Choose Administration > System > Certificates > Certificate Store.

Step 2

Click Import.

Step 3

Configure the field values as necessary. If client certificate-based authentication is enabled, then Cisco ISE will restart the application server on each node in your deployment, starting with the application server on the primary Administration node and followed, one-by-one, by each additional node.

Editing a Certificate Store Certificate After you add a certificate to the Certificate Store, you can further edit it by using the edit settings. Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Certificate Store.

Step 2

Check the check box next to the certificate that you want to edit, and click Edit.

Step 3

Modify the editable fields as required.

Step 4

Click Save to save the changes you have made to the certificate store.

Exporting a Certificate from the Certificate Store Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Choose Administration > System > Certificates > Certificate Store.

Step 2

Check the check box next to the certificate that you want to export, and click Export. You can export only one certificate at a time.

Step 3

Save the privacy-enhanced mail file to the file system that is running your client browser.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-27

Appendix E

Certificate Management in Cisco ISE

Certificate Store

Importing Certificate Chains You can import multiple certificates from a single file that contains a certificate chain received from a Certificate store. All certificates in the file must be in Privacy-Enhanced Mail (PEM) format, and the certificates must be arranged in the following order: •

The last certificate in the file must be the client or server certificate being issued by the CA.



All preceding certificates must be the root CA certificate plus any intermediate CA certificates in the signing chain for the issued certificate.

Importing a certificate chain is a two-step process: Step 1

Import the certificate chain file into the Certificate Store using the Adding a Certificate to Certificate Store operation. This operation will import all certificates from the file except the last one into the Certificate Store. You can perform this step only on the primary Administration node.

Step 2

Import the certificate chain file using the Binding a CA-Signed Certificate operation. This operation will import the last certificate from the file as a local certificate.

Installation of CA Certificates for Cisco ISE Inter-node Communication In a distributed deployment, before registering a secondary node, you must populate the primary node’s CTL with the appropriate CA certificates that are used to validate the HTTPS certificate of the secondary node. The procedure to populate the CTL of the primary node is different for different scenarios:

Note



If the secondary node is using a CA-signed certificate for HTTPS communication, you must import the CA-signed certificate of the secondary node into the CTL of the primary node.



If the secondary node is using a self-signed certificate for HTTPS communication, you can import the self-signed certificate of the secondary node into the CTL of the primary node.

If you change the HTTPS certificate on the registered secondary node, after registering your secondary node to the primary node, you must obtain appropriate CA certificates that can be used to validate the secondary node’s HTTPS certificate. Related Topics •

Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL, page E-28



Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node, page E-29

Importing a CA-Signed Certificate from a Secondary Node into the Primary Node’s CTL Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Log in to the Admin portal of the node that you are going to register as your secondary node, and export the CA-signed certificate that is used for HTTPS communication to the file system running your client browser.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-28

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Simple Certificate Enrollment Protocol Profiles

Step 2

In the Export dialog box, click the Export Certificate Only radio button.

Step 3

Log in to the Admin portal of your primary node, and import the CA-signed certificate of the secondary node into the CTL of the primary node.

Related Topics •

Exporting a Certificate from the Certificate Store, page E-27



Adding a Certificate to Certificate Store, page E-27

Importing a Self-Signed Certificate from a Secondary Node into the CTL of the Primary Node Before You Begin

To perform the following task, you must be a Super Admin or System Admin. Step 1

Log in to the Admin portal of the node that you are going to register as your secondary node and export the self-signed certificate that is used for HTTPS communication to the file system running your client browser.

Step 2

In the Export dialog box, click the Export Certificate Only radio button.

Step 3

Log in to the Admin portal of your primary node, and import the self-signed certificate of the secondary node into the CTL of the primary node.

Related Topics •

Exporting a Local Certificate, page E-22



Adding a Certificate to Certificate Store, page E-27

Simple Certificate Enrollment Protocol Profiles To help enable certificate provisioning functions for the variety of mobile devices that users can register on the network, Cisco ISE enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) Certificate Authority (CA) profiles to point Cisco ISE to multiple CA locations. The benefit of allowing for multiple profiles is to help ensure high availability and perform load balancing across the CA locations that you specify. If a request to a particular SCEP CA goes unanswered three consecutive times, Cisco ISE declares that particular server unavailable and automatically moves to the CA with the next lowest known load and response times, then it begins periodic polling until the server comes back online. For details on how to set up your Microsoft SCEP server to interoperate with Cisco ISE, see http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certi ficates.pdf. Related Topics •

Adding Simple Certificate Enrollment Protocol Profiles, page E-30



OCSP Services, page E-30

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-29

Appendix E

Certificate Management in Cisco ISE

OCSP Services

Adding Simple Certificate Enrollment Protocol Profiles Step 1

Choose Administration > System > Certificates > SCEP CA Profile.

Step 2

Specify a Name for the profile to distinguish it from other SCEP CS profile names.

Step 3

Enter an optional Description of the profile.

Step 4

Specify the URL of the SCEP CA server in question, where Cisco ISE can direct SCEP CA requests when users access the network from their mobile devices. You can optionally use the adjacent Test Connectivity button to verify that Cisco ISE is able to reach the server at the URL that you specify, before clicking the Submit button to end the session. (Either way, Cisco ISE will test the URL before allowing you to save the profile.)

Step 5

Click Submit.

For Reference:

Once users’ devices receive their validated certificate, they reside on the device as described in Table E-1. Table E-1

Device Certificate Location

Device

Certificate Storage Location

Access Method

iPhone/iPad

Standard certificate store

Settings > General > Profile

Android

Encrypted certificate store

Invisible to end users. Note

Certificates can be removed using Settings > Location & Security > Clear Storage.

Windows

Standard certificate store

Launch mmc.exe from the /cmd prompt or view in the certificate snap-in.

Mac

Standard certificate store

Application > Utilities > Keychain Access

OCSP Services The Online Certificate Status Protocol (OCSP) is a protocol that is used for checking the status of x.509 digital certificates. This protocol is an alternative to the Certificate Revocation List (CRL) and addresses issues that result in handling CRLs. Cisco ISE has the capability to communicate with OCSP servers over HTTP to validate the status of certificates in authentications. The OCSP configuration is configured in a reusable configuration object that can be referenced from any certificate authority (CA) certificate that is configured in Cisco ISE. See Editing a Certificate Store Certificate, page E-27. You can configure CRL and/or OCSP verification per CA. If both are selected, then Cisco ISE first performs verification over OCSP. If a communication problem is detected with both the primary and secondary OCSP servers, or if an unknown status is returned for a given certificate, Cisco ISE switches to checking the CRL. This section contains the following topics: •

OCSP Certificate Status Values, page E-31

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-30

OL-27044-01

Appendix E

Certificate Management in Cisco ISE OCSP Services



OCSP High Availability, page E-31



Adding OCSP Services, page E-32



OCSP Statistics Counters, page E-33



OCSP Failures, page E-31



Monitoring OCSP, page E-34

OCSP Certificate Status Values OCSP services return the following values for a given certificate request: •

Good—Indicates a positive response to the status inquiry. It means that the certificate is not revoked, and the state is good only until the next time interval (time to live) value.



Revoked—The certificate was revoked.



Unknown—The certificate status is unknown. This can happen if the OCSP is not configured to handle the given certificate CA.



Error—No response was received for the OCSP request.

Related Topics

OCSP Statistics Counters, page E-33

OCSP High Availability Cisco ISE has the capability to configure up to two OCSP servers per CA, and they are called primary and secondary OCSP servers. Each OCSP server configuration contains the following parameters: •

URL—The OCSP server URL.



Nonce—A random number that is sent in the request. This option ensures that old communications cannot be reused in reply attacks.



Validate response—Cisco ISE validates the response signature that is received from the OCSP server.

In case of timeout (which is 5 seconds), when Cisco ISE communicates with the primary OCSP server, it switches to the secondary OCSP server. Cisco ISE uses the secondary OCSP server for a configurable amount of time before attempting to use the primary server again.

OCSP Failures The three general OCSP failure scenarios are as follows: 1.

Failed OCSP cache or OCSP client side (Cisco ISE) failures.

2.

Failed OCSP responder scenarios, for example: a. The first primary OCSP responder not responding, and the secondary OCSP responder

responding to the Cisco ISE OCSP request. b. Errors or responses not received from Cisco ISE OCSP requests.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-31

Appendix E

Certificate Management in Cisco ISE

OCSP Services

An OCSP responder may not provide a response to the Cisco ISE OCSP request or it may return an OCSP Response Status as not successful. OCSP Response Status values can be as follows: – tryLater – signRequired – unauthorized – internalError – malformedRequest

There are many date-time checks, signature validity checks and so on, in the OCSP request. For more details, refer to RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP which describes all the possible states, including the error states. 3.

Failed OCSP reports

Adding OCSP Services You can use the add OCSP page to add new OCSP services to Cisco ISE. Step 1

Choose Administration > System > Certificates > OCSP Services.

Step 2

Click Add

Step 3

Provide a name and description for the OCSP service.

Step 4

Check the Enable Secondary Server check box if you want to enable high availability.

Step 5

Select one of the following options for high availability: •

Always Access Primary Server First —Use this option to check the primary server before trying to move to the secondary server. Even if the primary was checked earlier and found to be unresponsive, Cisco ISE will try to send a request to the primary server before moving to the secondary server.



Fallback to Primary Server After Interval—Use this option when you want Cisco ISE to move to the secondary server and then fall back to the primary server again. In this case, all other requests are skipped, and the secondary server is used for the amount of time that is configured in the text box. The allowed time range is 1 to 999 minutes.

Step 6

Provide the URLs or IP addresses of the primary and secondary OCSP servers.

Step 7

Check or uncheck the following options: •

Nonce—You can configure a nonce to be sent as part of the OCSP request. The Nonce includes a pseudo-random number in the OCSP request. It is verified that the number that is received in the response is the same as the number that is included in the request. This option ensures that old communications cannot be reused in replay attacks.



Validate Response Signature—The OCSP responder signs the response with one of the following signatures: – The CA certificate – A certificate different from the CA certificate

In order for Cisco ISE to validate the response signature, the OCSP responder needs to send the response along with the certificate, otherwise the response verification fails, and the status of the certificate cannot be relied on. According to the RFC, OCSP can sign the response using different

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-32

OL-27044-01

Appendix E

Certificate Management in Cisco ISE OCSP Services

certificates. This is true as long as OCSP sends the certificate that signed the response for Cisco ISE to validate it. If OCSP signs the response with a different certificate that is not configured in Cisco ISE, the response verification will fail. Step 8

Provide the number of minutes for the Cache Entry Time to Live. Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the certificate will be updated next on the server. When the OCSP response is cached, the two values (one from the configuration and another from response) are compared, and the response is cached for the period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not cached at all. Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent, so when Cisco ISE restarts, the cache is cleared. The OCSP cache is used in order to maintain the OCSP responses and for the following reasons:

Step 9



To reduce network traffic and load from the OCSP servers on an already-known certificate



To increase the performance of Cisco ISE by caching already-known certificate statuses

Click Clear Cache to clear entries of all the certificate authorities that are connected to the OCSP service. In a deployment, Clear Cache interacts with all the nodes and performs the operation. This mechanism updates every node in the deployment.

OCSP Statistics Counters The OCSP counters are used for logging and monitoring the data and health of the OCSP servers. Logging occurs every five minutes. A syslog message is sent to the Cisco ISE Monitoring node and is preserved in the local store, which contains data from the previous five minutes. After the message is sent, the counters are recalculated for the next interval. This means, after five minutes, a new five-minute window interval starts again. Table E-2 lists the OCSP syslog messages and their descriptions. Table E-2

OCSP Syslog Messages

Message

Description

OCSPPrimaryNotResponsiveCount

The number of nonresponsive primary requests

OCSPSecondaryNotResponsiveCount

The number of nonresponsive secondary requests

OCSPPrimaryCertsGoodCount

The number of ‘good’ certificates that are returned for a given CA using the primary OCSP server

OCSPSecondaryCertsGoodCount

The number of ‘good’ statuses that are returned for a given CA using the primary OCSP server

OCSPPrimaryCertsRevokedCount

The number of ‘revoked’ statuses that are returned for a given CA using the primary OCSP server

OCSPSecondaryCertsRevokedCount

The number of ‘revoked’ statuses that are returned for a given CA using the secondary OCSP server

OCSPPrimaryCertsUnknownCount

The number of ‘Unknown’ statuses that are returned for a given CA using the primary OCSP server

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-33

Appendix E

Certificate Management in Cisco ISE

Configuring Certificates for Inline Posture Nodes

Table E-2

OCSP Syslog Messages

Message

Description

OCSPSecondaryCertsUnknownCount

The number of ‘Unknown’ statuses that are returned for a given CA using the secondary OCSP server

OCSPPrimaryCertsFoundCount

The number of certificates that were found in cache from a primary origin

OCSPSecondaryCertsFoundCount

The number of certificates that were found in cache from a secondary origin

ClearCacheInvokedCount

How many times clear cache was triggered since the interval

OCSPCertsCleanedUpCount

How many cached entries were cleaned since the t interval

NumOfCertsFoundInCache

Number of the fulfilled requests from the cache

OCSPCacheCertsCount

Number of certificates that were found in the OCSP cache

Monitoring OCSP You can view the OCSP services data in the form of an OCSP Monitoring Report. For more information on Cisco ISE reports, refer to the Cisco Identity Services Engine User Guide, Release 1.2.

Configuring Certificates for Inline Posture Nodes After you install the Inline Posture node, Release 1.2, ISO image on any of the supported appliance platforms and run the setup program, you must configure certificates for Inline Posture nodes before you can add them to the deployment. You configure Inline Posture node certificates only from the CLI. Before You Begin •

The Inline Posture node must be certified from the same certificate authority (CA) that certified the primary Administration node.



If you wish to deploy an active-standby pair of Inline Posture nodes, you must configure the certificates on both the active and standby Inline Posture nodes.

Step 1

Log in to the Inline Posture node through the CLI.

Step 2

Enter the following command: pep certificate server generatecsr

Step 3

Enter n to use an existing private key file to use with the certificate signing request (CSR) or enter y to generate a new one.

Step 4

Enter the desired key size.

Step 5

Enter the type of digest that you want to sign the certificate with.

Step 6

Enter a country code name (2 letter code).

Step 7

Enter values for the state, city, organization, organizational unit.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-34

OL-27044-01

Appendix E

Certificate Management in Cisco ISE Configuring Certificates for Inline Posture Nodes

Step 8

Enter the Common Name. The Common Name is the same as your hostname. You must enter the fully qualified domain name (FQDN). For example, if your hostname is IPN1 and your DNS domain name is cisco.com, you must enter IPN1.cisco.com as your Common Name.

Step 9

Enter an e-mail address.

Step 10

Copy the entire block of text including the blank line after the END CERTIFICATE REQUEST tag (to include the carriage return).

Step 11

Send this CSR to the CA that signed the primary Administration node certificate. If you are using the Microsoft CA, choose Web Server as the certificate template while sending the signing request. Note

Only server authentication is supported in Release 1.2. If you use other CAs to sign a certificate, ensure that the extended key usage specifies server authentication alone.

Step 12

Download the signed certificate in the DER or base64 format and copy it to an FTP server.

Step 13

Enter the following command from the Inline Posture node CLI: copy ftp://a.b.c.d/ipn1.cer disk: where a.b.c.d is the IP address of the FTP server and ipn1.cer is the CA-signed certificate that you are adding to the Inline Posture node.

Step 14

Enter the username and password for the FTP server.

Step 15

Enter the following command from the Inline Posture node CLI: pep certificate server add

Step 16

Enter y for the application to restart.

Step 17

Enter y to bind the certificate to the last CSR.

Step 18

Enter the name of the CA-signed certificate. The Inline Posture application restarts. You can now register this Inline Posture node with your primary Administration node. Refer to the Cisco Identity Services Engine User Guide, Release 1.2 for more information.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

E-35

Appendix E

Certificate Management in Cisco ISE

Configuring Certificates for Inline Posture Nodes

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

E-36

OL-27044-01

INDEX

3-7

setup program

B

7-1

post-installation tasks A-8

beeps for USB devices

IP settings, DHCP or static

C

3-4

L

cable management arm installation

A-6

location

1-1

Cisco ISE deployment

2-1

serial number

D

M 3-4

DHCP, enabling

A-8

motherboard beeps

E

N B-1

environmental specifications

3-4

NIC modes, setting NIC redundancy

3-4

I P

installation cable management arm

A-6

initial power-on and setup 3-4

IP settings

physical specifications

3-4

rack installation

required equipment

A-8

B-2

specifications A-4

R

A-4

A-5

unpacking and inspection installing Cisco ISE

7-1

A-4

rack requirements

3-15

B-1

connecting power cords

A-8

power cables

A-2

power

NIC redundancy

verification

packing list

post-installation tasks

3-4

NIC modes

slide rails

A-7

rack installation A-2

A-4, A-5 A-4

rack requirements required equipment installation

A-4

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2 OL-27044-01

IN-1

Index

S serial number 2-1

location

3-4

setting NIC modes

setting NIC redundancy

3-4

A-5

slide rail installation specifications

B-1

environmental B-1

physical power

B-2

static IP, setting

3-4

U unpacking the server

A-2

upgrading post-installation tasks

7-1

V VMware configuring

4-9

hardware requirements installing

4-2

4-1

installing the Cisco ISE appliance

4-19

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

IN-2

OL-27044-01